GHSA-g2f6-pwvx-r275

Suggest an improvement
Source
https://github.com/advisories/GHSA-g2f6-pwvx-r275
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-g2f6-pwvx-r275/GHSA-g2f6-pwvx-r275.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-g2f6-pwvx-r275
Downstream
Published
2026-03-16T20:41:12Z
Modified
2026-03-16T20:46:21.952072Z
Severity
  • 7.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U CVSS Calculator
Summary
OpneClaw accepts unsanitized iMessage attachment paths which allowed SCP remote-path command injection
Details

Summary

openclaw versions <= 2026.3.12 accepted unsanitized iMessage remote attachment paths when staging files over SCP, allowing shell metacharacters in the remote path operand.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected versions: <= 2026.3.12
  • Fixed version: 2026.3.13

Details

The vulnerable path was the remote attachment staging flow in src/auto-reply/reply/stage-sandbox-media.ts. When ctx.MediaRemoteHost was set, OpenClaw staged the attachment by spawning /usr/bin/scp against <remoteHost>:<remotePath>. In affected releases, the remote host was normalized but the remote attachment path was not validated for shell metacharacters before being passed to the SCP remote operand. A sender-controlled iMessage attachment filename containing shell metacharacters could therefore trigger command execution on the configured remote host when remote attachment staging was enabled.

This issue is in scope under OpenClaw's trust model because it crosses an inbound content boundary into host command execution on a configured remote attachment host.

Fix

openclaw@2026.3.13 validates the SCP remote path before spawning scp. Current code calls normalizeScpRemotePath(...) and rejects paths containing shell metacharacters instead of passing them through to the remote shell.

Regression coverage exists in src/auto-reply/reply.stage-sandbox-media.scp-remote-path.test.ts (rejects remote attachment filenames with shell metacharacters before spawning scp).

Fix Commit(s)

  • a54bf71b4c0cbe554a84340b773df37ee8e959de

Thanks @lintsinghua for reporting.

Database specific 
{
    "github_reviewed_at": "2026-03-16T20:41:12Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-78"
    ],
    "nvd_published_at": null,
    "severity": "HIGH"
}
References

Affected packages

npm / openclaw

Package

Name
openclaw
View open source insights on deps.dev
Purl
pkg:npm/openclaw

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2026.3.13

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-g2f6-pwvx-r275/GHSA-g2f6-pwvx-r275.json"
last_known_affected_version_range 
"<= 2026.3.12"