GHSA-3XFW-4PMR-4XC5
Vulnerability from github – Published: 2026-03-03 19:09 – Updated: 2026-03-19 22:24Summary
OpenClaw tools.exec.safeBins had a stdin-only policy bypass for grep.
If pattern input was supplied through -e / --regexp, the validator consumed the pattern as a flag value and still allowed one positional operand. That positional could be a bare filename like .env.
Affected Packages / Versions
- Package:
openclaw(npm) - Latest published vulnerable version:
2026.2.19-2 - Structured vulnerable range:
<= 2026.2.19-2 - Planned fixed range for next release:
>= 2026.2.21
Exploit Preconditions
tools.exec.safeBinsmust includegrep(this is opt-in;grepis not in the default safe-bin list).- An actor must be able to invoke exec tooling under that profile.
Technical Details
src/infra/exec-safe-bin-policy.ts configured grep with maxPositional: 1 and allowed -e / --regexp value flags.
Because -e consumes the pattern in flag-value position, the remaining positional budget could be used for a file operand.
Example accepted input in vulnerable builds:
grep -e SECRET .env
That violated the intended stdin-only guarantee for safe bins.
Impact
With grep opt-in enabled, callers could read bare-relative files from the working directory (for example .env, credentials.txt) in flows expected to be stdin-only.
Severity Rationale
CVSS v3.1 is set to:
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N (5.3, Medium)
AC:H is used because exploitation depends on a non-default configuration (grep must be explicitly added to safe bins) in addition to normal low-privilege tool-invocation capability.
Fix Commit(s)
c6ee14d60e4cbd6a82f9b2d74ebeb1e8ee814964
Release Process Note
patched_versions is pre-set to >= 2026.2.21 so this advisory is ready to publish after the 2026.2.21 npm release is live.
OpenClaw thanks @athuljayaram for reporting.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.21"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32022"
],
"database_specific": {
"cwe_ids": [
"CWE-184"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-03T19:09:20Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n\nOpenClaw `tools.exec.safeBins` had a stdin-only policy bypass for `grep`.\nIf pattern input was supplied through `-e` / `--regexp`, the validator consumed the pattern as a flag value and still allowed one positional operand. That positional could be a bare filename like `.env`.\n\n### Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Latest published vulnerable version: `2026.2.19-2`\n- Structured vulnerable range: `\u003c= 2026.2.19-2`\n- Planned fixed range for next release: `\u003e= 2026.2.21`\n\n### Exploit Preconditions\n\n- `tools.exec.safeBins` must include `grep` (this is opt-in; `grep` is not in the default safe-bin list).\n- An actor must be able to invoke exec tooling under that profile.\n\n### Technical Details\n\n`src/infra/exec-safe-bin-policy.ts` configured `grep` with `maxPositional: 1` and allowed `-e` / `--regexp` value flags.\nBecause `-e` consumes the pattern in flag-value position, the remaining positional budget could be used for a file operand.\nExample accepted input in vulnerable builds:\n\n```bash\ngrep -e SECRET .env\n```\n\nThat violated the intended stdin-only guarantee for safe bins.\n\n### Impact\n\nWith `grep` opt-in enabled, callers could read bare-relative files from the working directory (for example `.env`, `credentials.txt`) in flows expected to be stdin-only.\n\n### Severity Rationale\n\nCVSS v3.1 is set to:\n`CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N` (5.3, Medium)\n\n`AC:H` is used because exploitation depends on a non-default configuration (`grep` must be explicitly added to safe bins) in addition to normal low-privilege tool-invocation capability.\n\n### Fix Commit(s)\n\n- `c6ee14d60e4cbd6a82f9b2d74ebeb1e8ee814964`\n\n### Release Process Note\n\n`patched_versions` is pre-set to `\u003e= 2026.2.21` so this advisory is ready to publish after the `2026.2.21` npm release is live.\n\nOpenClaw thanks @athuljayaram for reporting.",
"id": "GHSA-3xfw-4pmr-4xc5",
"modified": "2026-03-19T22:24:33Z",
"published": "2026-03-03T19:09:20Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3xfw-4pmr-4xc5"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/c6ee14d60e4cbd6a82f9b2d74ebeb1e8ee814964"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw safeBins grep -e File Read Bypass (stdin-only policy bypass)"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.