GHSA-vmqr-rc7x-3446

Suggest an improvement
Source
https://github.com/advisories/GHSA-vmqr-rc7x-3446
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-vmqr-rc7x-3446/GHSA-vmqr-rc7x-3446.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-vmqr-rc7x-3446
Aliases
  • CVE-2026-22169
Downstream
Published
2026-03-03T18:54:55Z
Modified
2026-03-18T01:31:32.717211Z
Severity
  • 6.4 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
OpenClaw's non-default safeBins sort configuration can bypass intended allowlist approval constraints
Details

When sort is explicitly added to tools.exec.safeBins (non-default), the --compress-program option can invoke an external helper and bypass the intended safe-bin approval constraints in allowlist mode.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Vulnerable versions: <=2026.2.21-2
  • Latest published npm version checked during triage: 2026.2.21-2 (as of February 22, 2026)
  • Patched in planned next release: 2026.2.22

Fix Commit(s)

  • 57fbbaebca4d34d17549accf6092ae26eb7b605c

Release Process Note

patched_versions is pre-set to the planned next release (>=2026.2.22). Once that npm release is published, the advisory can be published directly.

OpenClaw thanks @tdjackey for reporting.

Database specific 
{
    "cwe_ids": [
        "CWE-15",
        "CWE-78"
    ],
    "github_reviewed": true,
    "nvd_published_at": null,
    "severity": "MODERATE",
    "github_reviewed_at": "2026-03-03T18:54:55Z"
}
References

Affected packages

npm / openclaw

Package

Name
openclaw
View open source insights on deps.dev
Purl
pkg:npm/openclaw

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2026.2.22

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-vmqr-rc7x-3446/GHSA-vmqr-rc7x-3446.json"