GHSA-7853-GQQM-VCWX

Vulnerability from github – Published: 2026-04-08 00:16 – Updated: 2026-04-08 00:16
VLAI?
Summary
openclaw-claude-bridge: sandbox is not effective - `--allowed-tools ""` does not restrict available tools
Details

Affected

openclaw-claude-bridge v1.1.0

Issue

v1.1.0 spawns the Claude Code CLI subprocess with --allowed-tools "" and the release notes + README claim this "disables all CLI tools" for sandboxing. This claim is incorrect.

Per the Claude Code CLI documentation, --allowed-tools (alias --allowedTools) is an auto-approve allowlist of tools that execute without permission prompts — NOT a restriction on which tools are available. The correct flag to restrict the available tool set is --tools:

--tools <tools...> Specify the list of available tools from the built-in set. Use "" to disable all tools, "default" to use all tools, or specify tool names (e.g. "Bash,Edit,Read").

Impact

  • All CLI tools (Read/Write/Bash/WebFetch/...) remain nominally available to the spawned subprocess.
  • Actual execution behavior in --print non-interactive mode depends on undocumented CLI defaults (may auto-deny, may error out, may hang).
  • Users who deploy the bridge behind any interface that forwards untrusted prompts (e.g., publicly exposed OpenClaw gateway, automated pipelines with web-fetched context, agents that consume tool results from other systems) may be relying on a sandbox that does not exist.

The README explicitly makes a security claim the code does not uphold, creating a false sense of safety for downstream operators. If the underlying CLI behavior changes in a future version to auto-allow tools in --print mode, prompt-injection attacks could trigger arbitrary Read/Write/Bash operations in the gateway's process context.

Patches

Fixed in v1.1.1 (commit 8a296f5) by switching to --tools "". The environment variable was also renamed from CLAUDE_ALLOWED_TOOLS to CLAUDE_TOOLS to match the flag.

Workarounds

Setting CLAUDE_ALLOWED_TOOLS on v1.1.0 has no mitigating effect. Upgrade to v1.1.1 or manually edit dist/cli-bridge.js to replace --allowed-tools with --tools.

References

  • Fix: https://github.com/SeaL773/openclaw-claude-bridge/commit/8a296f5
  • v1.1.1 notes: https://github.com/SeaL773/openclaw-claude-bridge/releases/tag/v1.1.1
  • Claude Code CLI reference: https://docs.claude.com/en/docs/claude-code/cli-reference

Credit

Found during a second-round code review.

Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.1.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw-claude-bridge"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-39398"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188",
      "CWE-276"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-08T00:16:09Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Affected\n\nopenclaw-claude-bridge v1.1.0\n\n## Issue\n\nv1.1.0 spawns the Claude Code CLI subprocess with `--allowed-tools \"\"` and the release notes + README claim this **\"disables all CLI tools\"** for sandboxing. This claim is incorrect.\n\nPer the Claude Code CLI documentation, `--allowed-tools` (alias `--allowedTools`) is an **auto-approve allowlist** of tools that execute without permission prompts \u2014 NOT a restriction on which tools are available. The correct flag to restrict the available tool set is `--tools`:\n\n\u003e `--tools \u003ctools...\u003e`  Specify the list of available tools from the built-in set. **Use `\"\"` to disable all tools**, `\"default\"` to use all tools, or specify tool names (e.g. `\"Bash,Edit,Read\"`).\n\n## Impact\n\n- All CLI tools (Read/Write/Bash/WebFetch/...) remain nominally available to the spawned subprocess.\n- Actual execution behavior in `--print` non-interactive mode depends on undocumented CLI defaults (may auto-deny, may error out, may hang).\n- Users who deploy the bridge behind any interface that forwards untrusted prompts (e.g., publicly exposed OpenClaw gateway, automated pipelines with web-fetched context, agents that consume tool results from other systems) may be relying on a sandbox that does not exist.\n\nThe README explicitly makes a security claim the code does not uphold, creating a false sense of safety for downstream operators. If the underlying CLI behavior changes in a future version to auto-allow tools in `--print` mode, prompt-injection attacks could trigger arbitrary Read/Write/Bash operations in the gateway\u0027s process context.\n\n## Patches\n\nFixed in [v1.1.1](https://github.com/SeaL773/openclaw-claude-bridge/releases/tag/v1.1.1) (commit 8a296f5) by switching to `--tools \"\"`. The environment variable was also renamed from `CLAUDE_ALLOWED_TOOLS` to `CLAUDE_TOOLS` to match the flag.\n\n## Workarounds\n\nSetting `CLAUDE_ALLOWED_TOOLS` on v1.1.0 has no mitigating effect. Upgrade to v1.1.1 or manually edit `dist/cli-bridge.js` to replace `--allowed-tools` with `--tools`.\n\n## References\n\n- Fix: https://github.com/SeaL773/openclaw-claude-bridge/commit/8a296f5\n- v1.1.1 notes: https://github.com/SeaL773/openclaw-claude-bridge/releases/tag/v1.1.1\n- Claude Code CLI reference: https://docs.claude.com/en/docs/claude-code/cli-reference\n\n## Credit\n\nFound during a second-round code review.",
  "id": "GHSA-7853-gqqm-vcwx",
  "modified": "2026-04-08T00:16:09Z",
  "published": "2026-04-08T00:16:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/SeaL773/openclaw-claude-bridge/security/advisories/GHSA-7853-gqqm-vcwx"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SeaL773/openclaw-claude-bridge/commit/8a296f5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/SeaL773/openclaw-claude-bridge"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SeaL773/openclaw-claude-bridge/releases/tag/v1.1.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "openclaw-claude-bridge: sandbox is not effective - `--allowed-tools \"\"` does not restrict available tools"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.