CWE-184
AllowedIncomplete List of Disallowed Inputs
Abstraction: Base · Status: Draft
The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.
307 vulnerabilities reference this CWE, most recent first.
GHSA-68PW-C734-2RR2
Vulnerability from github – Published: 2026-07-14 00:31 – Updated: 2026-07-14 00:31OpenClaw versions before 2026.6.6 contain a flaw in host exec environment filtering that can miss interpreter startup variables. When the affected feature is enabled and reachable, a lower-trust caller or configured input path can supply crafted environment variables to execute or persist actions beyond the caller's intended authorization.
{
"affected": [],
"aliases": [
"CVE-2026-62199"
],
"database_specific": {
"cwe_ids": [
"CWE-184"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-13T22:16:51Z",
"severity": "HIGH"
},
"details": "OpenClaw versions before 2026.6.6 contain a flaw in host exec environment filtering that can miss interpreter startup variables. When the affected feature is enabled and reachable, a lower-trust caller or configured input path can supply crafted environment variables to execute or persist actions beyond the caller\u0027s intended authorization.",
"id": "GHSA-68pw-c734-2rr2",
"modified": "2026-07-14T00:31:04Z",
"published": "2026-07-14T00:31:04Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-hjr6-g723-hmfm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-62199"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-authentication-bypass-via-environment-filtering"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-6MGF-V5J7-45CR
Vulnerability from github – Published: 2026-03-09 19:54 – Updated: 2026-03-30 13:31OpenClaw's fetchWithSsrFGuard(...) followed cross-origin redirects while preserving arbitrary caller-supplied headers except for a narrow denylist (Authorization, Proxy-Authorization, Cookie, Cookie2). This allowed custom authorization headers such as X-Api-Key, Private-Token, and similar sensitive headers to be forwarded to a different origin after a redirect.
The fix switches cross-origin redirect handling from a narrow sensitive-header denylist to a safe-header allowlist, so only benign headers such as content negotiation and cache validators survive an origin change.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
<= 2026.3.2 - Patched version:
2026.3.7 - Latest published npm version at patch time:
2026.3.2
Impact
A remote service that could trigger a redirect across origins could receive custom authorization credentials attached by OpenClaw callers. This can expose API keys, bearer-style custom headers, or private token headers intended only for the original destination.
Fix Commit(s)
46715371b0612a6f9114dffd1466941ac476cef5
Verification
pnpm checkpassedpnpm test:fastpassed- Focused redirect regression tests passed
pnpm exec vitest run --config vitest.gateway.config.tsstill has unrelated current-mainfailures insrc/gateway/server-channels.test.tsandsrc/gateway/server-methods/agents-mutate.test.ts
Release Process Note
npm 2026.3.7 was published on March 8, 2026. This advisory is fixed in the released package.
Thanks @Rickidevs for reporting.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.3.2"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32913"
],
"database_specific": {
"cwe_ids": [
"CWE-116",
"CWE-184",
"CWE-522"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-09T19:54:20Z",
"nvd_published_at": "2026-03-23T22:16:30Z",
"severity": "HIGH"
},
"details": "OpenClaw\u0027s `fetchWithSsrFGuard(...)` followed cross-origin redirects while preserving arbitrary caller-supplied headers except for a narrow denylist (`Authorization`, `Proxy-Authorization`, `Cookie`, `Cookie2`). This allowed custom authorization headers such as `X-Api-Key`, `Private-Token`, and similar sensitive headers to be forwarded to a different origin after a redirect.\n\nThe fix switches cross-origin redirect handling from a narrow sensitive-header denylist to a safe-header allowlist, so only benign headers such as content negotiation and cache validators survive an origin change.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `\u003c= 2026.3.2`\n- Patched version: `2026.3.7`\n- Latest published npm version at patch time: `2026.3.2`\n\n## Impact\n\nA remote service that could trigger a redirect across origins could receive custom authorization credentials attached by OpenClaw callers. This can expose API keys, bearer-style custom headers, or private token headers intended only for the original destination.\n\n## Fix Commit(s)\n\n- `46715371b0612a6f9114dffd1466941ac476cef5`\n\n## Verification\n\n- `pnpm check` passed\n- `pnpm test:fast` passed\n- Focused redirect regression tests passed\n- `pnpm exec vitest run --config vitest.gateway.config.ts` still has unrelated current-`main` failures in `src/gateway/server-channels.test.ts` and `src/gateway/server-methods/agents-mutate.test.ts`\n\n## Release Process Note\n\nnpm `2026.3.7` was published on March 8, 2026. This advisory is fixed in the released package.\n\nThanks @Rickidevs for reporting.",
"id": "GHSA-6mgf-v5j7-45cr",
"modified": "2026-03-30T13:31:55Z",
"published": "2026-03-09T19:54:20Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6mgf-v5j7-45cr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32913"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/46715371b0612a6f9114dffd1466941ac476cef5"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.7"
},
{
"type": "WEB",
"url": "https://vulncheck.com/advisories/openclaw-mar-custom-authorization-header-leakage-via-cross-origin-redirects"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: fetch-guard forwards custom authorization headers across cross-origin redirects"
}
GHSA-6V84-V468-3C7F
Vulnerability from github – Published: 2026-06-17 18:35 – Updated: 2026-06-18 14:40Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-84r2-jw7c-4r5q. This link is maintained to preserve external references.
Original Description
picklescan before 0.0.33 contains an incomplete deny-list that fails to block pydoc.locate and operator.methodcaller functions, allowing attackers to bypass security checks. Remote attackers can craft malicious pickle files using these unblocked functions to achieve arbitrary code execution when the pickle is deserialized.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c 0.0.33"
},
"package": {
"ecosystem": "PyPI",
"name": "picklescan"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-184"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-18T14:40:24Z",
"nvd_published_at": "2026-06-17T17:16:40Z",
"severity": "CRITICAL"
},
"details": "## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of\u00a0GHSA-84r2-jw7c-4r5q. This link is maintained to preserve external references.\n\n## Original Description\npicklescan before 0.0.33 contains an incomplete deny-list that fails to block pydoc.locate and operator.methodcaller functions, allowing attackers to bypass security checks. Remote attackers can craft malicious pickle files using these unblocked functions to achieve arbitrary code execution when the pickle is deserialized.",
"id": "GHSA-6v84-v468-3c7f",
"modified": "2026-06-18T14:40:24Z",
"published": "2026-06-17T18:35:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-84r2-jw7c-4r5q"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71320"
},
{
"type": "PACKAGE",
"url": "https://github.com/mmaitre314/picklescan"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/picklescan-remote-code-execution-via-incomplete-disallowed-inputs"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "Duplicate Advisory: Picklescan has Incomplete List of Disallowed Inputs",
"withdrawn": "2026-06-18T14:40:24Z"
}
GHSA-6VQF-6FHM-7RC6
Vulnerability from github – Published: 2026-04-21 14:35 – Updated: 2026-04-21 14:35The Dataflow module in OpenMage LTS uses a weak blacklist filter (str_replace('../', '', $input)) to prevent path traversal attacks. This filter can be bypassed using patterns like ..././ or ....//, which after the replacement still result in ../. An authenticated administrator can exploit this to read arbitrary files from the server filesystem.
| Metric | Value | Justification |
|---|---|---|
| Attack Vector (AV) | Network | Exploitable via admin panel |
| Attack Complexity (AC) | Low | Simple bypass pattern |
| Privileges Required (PR) | High | Requires admin authentication |
| User Interaction (UI) | None | No additional user interaction needed |
| Scope (S) | Unchanged | Impacts the vulnerable component |
| Confidentiality (C) | High | Can read sensitive system files |
| Integrity (I) | None | Read-only vulnerability |
| Availability (A) | None | No impact on availability |
Affected Products
- OpenMage LTS versions < 20.16.1
- All versions derived from Magento 1.x with these code paths
Affected Files
| File | Line | Vulnerable Code |
|---|---|---|
app/code/core/Mage/Dataflow/Model/Convert/Parser/Csv.php |
67 | str_replace('../', '', urldecode(...)) |
app/code/core/Mage/Dataflow/Model/Convert/Parser/Xml/Excel.php |
63 | str_replace('../', '', urldecode(...)) |
Vulnerability Details
The Dataflow module allows administrators to import data from files. The files parameter specifies which file to import from the var/import/ directory. To prevent path traversal, the code uses str_replace() to remove ../ sequences:
$file = Mage::app()->getConfig()->getTempVarDir() . '/import/'
. str_replace('../', '', urldecode(Mage::app()->getRequest()->getParam('files')));
However, str_replace() only performs a single pass, making it trivially bypassable:
Bypass Examples
| Input | After str_replace('../', '', ...) |
Result |
|---|---|---|
..././ |
../ |
Bypass |
....// |
../ |
Bypass |
..././..././..././etc/passwd |
../../../etc/passwd |
File read |
Attack Scenario
- Attacker gains admin access (via compromised credentials, social engineering, etc.)
- Navigate to System > Import/Export > Dataflow Profiles
- Create or modify an import profile
- Set the
filesparameter to:..././..././..././etc/passwd - Run the profile to read the contents of
/etc/passwd
Proof of Concept
# Request to Dataflow with bypass pattern
GET /admin/system_convert_gui/run/id/1/?files=..././..././..././etc/passwd
# The str_replace removes '../' leaving:
# ..././..././..././etc/passwd -> ../../../etc/passwd
# Final path resolves to:
# /var/www/html/var/import/../../../etc/passwd -> /etc/passwd
Remediation
Replace the weak str_replace() filter with basename() to extract only the filename:
// Before (vulnerable)
$file = Mage::app()->getConfig()->getTempVarDir() . '/import/'
. str_replace('../', '', urldecode(Mage::app()->getRequest()->getParam('files')));
// After (fixed)
$file = Mage::app()->getConfig()->getTempVarDir() . '/import/'
. basename(urldecode(Mage::app()->getRequest()->getParam('files')));
Using basename() ensures only the filename portion is used, completely preventing any path traversal regardless of the input pattern.
Workarounds
If immediate upgrade is not possible:
- Restrict admin access: Limit Dataflow access to trusted administrators only
- Disable Dataflow: If not in use, disable the Dataflow module entirely
- Web Application Firewall: Block requests containing path traversal patterns
- File permissions: Ensure the web server user has minimal filesystem permissions
- Monitor admin activity: Alert on suspicious Dataflow profile execution
Impact
An attacker with admin access can read sensitive files including:
/etc/passwd- System user informationapp/etc/local.xml- Database credentials.envfiles - Environment secrets- Log files - Potentially sensitive application data
- Configuration files - Server and application configuration
Credit
This vulnerability was discovered and responsibly disclosed by blackhat2013 through HackerOne.
Timeline
- 2025-12-31: Vulnerability reported via HackerOne
- 2026-01-21: Fix developed and tested
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "openmage/magento-lts"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "20.17.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25525"
],
"database_specific": {
"cwe_ids": [
"CWE-184",
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-21T14:35:02Z",
"nvd_published_at": "2026-04-20T17:16:32Z",
"severity": "MODERATE"
},
"details": "The Dataflow module in OpenMage LTS uses a weak blacklist filter (`str_replace(\u0027../\u0027, \u0027\u0027, $input)`) to prevent path traversal attacks. This filter can be bypassed using patterns like `..././` or `....//`, which after the replacement still result in `../`. An authenticated administrator can exploit this to read arbitrary files from the server filesystem.\n\n\n| Metric | Value | Justification |\n| ------------------------ | --------- | ------------------------------------- |\n| Attack Vector (AV) | Network | Exploitable via admin panel |\n| Attack Complexity (AC) | Low | Simple bypass pattern |\n| Privileges Required (PR) | High | Requires admin authentication |\n| User Interaction (UI) | None | No additional user interaction needed |\n| Scope (S) | Unchanged | Impacts the vulnerable component |\n| Confidentiality (C) | High | Can read sensitive system files |\n| Integrity (I) | None | Read-only vulnerability |\n| Availability (A) | None | No impact on availability |\n\n## Affected Products\n\n- OpenMage LTS versions \u003c 20.16.1\n- All versions derived from Magento 1.x with these code paths\n\n## Affected Files\n\n| File | Line | Vulnerable Code |\n| ------------------------------------------------------------ | ---- | ---------------------------------------- |\n| `app/code/core/Mage/Dataflow/Model/Convert/Parser/Csv.php` | 67 | `str_replace(\u0027../\u0027, \u0027\u0027, urldecode(...))` |\n| `app/code/core/Mage/Dataflow/Model/Convert/Parser/Xml/Excel.php` | 63 | `str_replace(\u0027../\u0027, \u0027\u0027, urldecode(...))` |\n\n## Vulnerability Details\n\nThe Dataflow module allows administrators to import data from files. The `files` parameter specifies which file to import from the `var/import/` directory. To prevent path traversal, the code uses `str_replace()` to remove `../` sequences:\n\n```php\n$file = Mage::app()-\u003egetConfig()-\u003egetTempVarDir() . \u0027/import/\u0027\n . str_replace(\u0027../\u0027, \u0027\u0027, urldecode(Mage::app()-\u003egetRequest()-\u003egetParam(\u0027files\u0027)));\n```\n\nHowever, `str_replace()` only performs a single pass, making it trivially bypassable:\n\n### Bypass Examples\n\n| Input | After `str_replace(\u0027../\u0027, \u0027\u0027, ...)` | Result |\n| ------------------------------ | ----------------------------------- | --------- |\n| `..././` | `../` | Bypass |\n| `....//` | `../` | Bypass |\n| `..././..././..././etc/passwd` | `../../../etc/passwd` | File read |\n\n### Attack Scenario\n\n1. Attacker gains admin access (via compromised credentials, social engineering, etc.)\n2. Navigate to System \u003e Import/Export \u003e Dataflow Profiles\n3. Create or modify an import profile\n4. Set the `files` parameter to: `..././..././..././etc/passwd`\n5. Run the profile to read the contents of `/etc/passwd`\n\n### Proof of Concept\n\n```\n# Request to Dataflow with bypass pattern\nGET /admin/system_convert_gui/run/id/1/?files=..././..././..././etc/passwd\n\n# The str_replace removes \u0027../\u0027 leaving:\n# ..././..././..././etc/passwd -\u003e ../../../etc/passwd\n\n# Final path resolves to:\n# /var/www/html/var/import/../../../etc/passwd -\u003e /etc/passwd\n```\n\n## Remediation\n\nReplace the weak `str_replace()` filter with `basename()` to extract only the filename:\n\n```php\n// Before (vulnerable)\n$file = Mage::app()-\u003egetConfig()-\u003egetTempVarDir() . \u0027/import/\u0027\n . str_replace(\u0027../\u0027, \u0027\u0027, urldecode(Mage::app()-\u003egetRequest()-\u003egetParam(\u0027files\u0027)));\n\n// After (fixed)\n$file = Mage::app()-\u003egetConfig()-\u003egetTempVarDir() . \u0027/import/\u0027\n . basename(urldecode(Mage::app()-\u003egetRequest()-\u003egetParam(\u0027files\u0027)));\n```\n\nUsing `basename()` ensures only the filename portion is used, completely preventing any path traversal regardless of the input pattern.\n\n## Workarounds\n\nIf immediate upgrade is not possible:\n\n1. **Restrict admin access**: Limit Dataflow access to trusted administrators only\n2. **Disable Dataflow**: If not in use, disable the Dataflow module entirely\n3. **Web Application Firewall**: Block requests containing path traversal patterns\n4. **File permissions**: Ensure the web server user has minimal filesystem permissions\n5. **Monitor admin activity**: Alert on suspicious Dataflow profile execution\n\n## Impact\n\nAn attacker with admin access can read sensitive files including:\n\n- `/etc/passwd` - System user information\n- `app/etc/local.xml` - Database credentials\n- `.env` files - Environment secrets\n- Log files - Potentially sensitive application data\n- Configuration files - Server and application configuration\n\n## Credit\n\nThis vulnerability was discovered and responsibly disclosed by [blackhat2013](https://hackerone.com/blackhat2013) through HackerOne.\n\n## Timeline\n\n- **2025-12-31**: Vulnerability reported via HackerOne\n- **2026-01-21**: Fix developed and tested",
"id": "GHSA-6vqf-6fhm-7rc6",
"modified": "2026-04-21T14:35:03Z",
"published": "2026-04-21T14:35:02Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-6vqf-6fhm-7rc6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25525"
},
{
"type": "WEB",
"url": "https://github.com/OpenMage/magento-lts/pull/5445"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/3482926"
},
{
"type": "PACKAGE",
"url": "https://github.com/OpenMage/magento-lts"
},
{
"type": "WEB",
"url": "https://github.com/OpenMage/magento-lts/releases/tag/v20.17.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "OpenMage LTS has a Path Traversal Filter Bypass in Dataflow Module"
}
GHSA-6X33-PW7P-HMPQ
Vulnerability from github – Published: 2020-09-04 17:59 – Updated: 2024-01-29 20:57Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.
For a proxy server running on http://localhost:3000, the following curl request triggers the unhandled exception:
curl -XPOST http://localhost:3000 -d "$(python -c 'print("x"*1025)')"
Recommendation
Upgrade to version 1.18.1 or later
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "http-proxy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-184",
"CWE-693"
],
"github_reviewed": true,
"github_reviewed_at": "2020-08-31T19:01:05Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "Versions of `http-proxy` prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an `ERR_HTTP_HEADERS_SENT` unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the `proxyReq.setHeader` function. \n\nFor a proxy server running on `http://localhost:3000`, the following curl request triggers the unhandled exception: \n```curl -XPOST http://localhost:3000 -d \"$(python -c \u0027print(\"x\"*1025)\u0027)\"```\n\n\n## Recommendation\n\nUpgrade to version 1.18.1 or later",
"id": "GHSA-6x33-pw7p-hmpq",
"modified": "2024-01-29T20:57:00Z",
"published": "2020-09-04T17:59:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/http-party/node-http-proxy/pull/1447/commits/4718119ffbe895aecd9be0d6430357d44b4c7fd3"
},
{
"type": "WEB",
"url": "https://github.com/http-party/node-http-proxy/pull/1447/files"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1486"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Denial of Service in http-proxy"
}
GHSA-7437-7HG8-FRRW
Vulnerability from github – Published: 2026-04-09 14:22 – Updated: 2026-04-28 18:29Impact
HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS missing from exec env denylist — RCE via build tool env injection (GHSA-cm8v-2vh9-cxf3 class).
Missing denylist entries allowed hostile build-tool environment variables to influence host exec commands.
OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
< 2026.4.8 - Patched versions:
2026.4.8
Fix
The issue was fixed on main and is available in the patched npm version listed above. The verified fixed tree is commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5.
Verification
The fix was re-checked against main before publication, including targeted regression tests for the affected security boundary.
Credits
Thanks @boy-hack of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.4.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42427"
],
"database_specific": {
"cwe_ids": [
"CWE-184",
"CWE-78"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-09T14:22:29Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Impact\n\nHGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS missing from exec env denylist \u2014 RCE via build tool env injection (GHSA-cm8v-2vh9-cxf3 class).\n\nMissing denylist entries allowed hostile build-tool environment variables to influence host exec commands.\n\nOpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `\u003c 2026.4.8`\n- Patched versions: `2026.4.8`\n\n## Fix\n\nThe issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`.\n\n## Verification\n\nThe fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary.\n\n## Credits\nThanks @boy-hack of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting.",
"id": "GHSA-7437-7hg8-frrw",
"modified": "2026-04-28T18:29:08Z",
"published": "2026-04-09T14:22:29Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7437-7hg8-frrw"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS missing from exec env denylist \u2014 RCE via build tool env injection (GHSA-cm8v-2vh9-cxf3 class)"
}
GHSA-7977-C43C-XPWJ
Vulnerability from github – Published: 2026-02-27 06:31 – Updated: 2026-02-28 02:17In OpenClaw before 2026.2.23, tools.exec.safeBins validation for sort could be bypassed via GNU long-option abbreviations (such as --compress-prog) in allowlist mode, leading to approval-free execution paths that were intended to require approval. Only an exact string such as --compress-program was denied.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.23"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-28363"
],
"database_specific": {
"cwe_ids": [
"CWE-184"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-28T02:17:24Z",
"nvd_published_at": "2026-02-27T04:16:03Z",
"severity": "CRITICAL"
},
"details": "In OpenClaw before 2026.2.23, tools.exec.safeBins validation for sort could be bypassed via GNU long-option abbreviations (such as --compress-prog) in allowlist mode, leading to approval-free execution paths that were intended to require approval. Only an exact string such as --compress-program was denied.",
"id": "GHSA-7977-c43c-xpwj",
"modified": "2026-02-28T02:17:24Z",
"published": "2026-02-27T06:31:28Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3c6h-g97w-fg78"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28363"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/3b8e33037ae2e12af7beb56fcf0346f1f8cbde6f"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.23"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "OpenClaw is vulnerable to validation bypass through GNU long-option abbreviations in allowlist mode"
}
GHSA-7F79-RVX6-VXC4
Vulnerability from github – Published: 2026-06-17 18:35 – Updated: 2026-06-18 14:44Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-4675-36f9-wf6r. This link is maintained to preserve external references.
Original Description
picklescan before 0.0.33 fails to block the ctypes module, allowing attackers to achieve remote code execution by invoking direct syscalls and accessing raw memory. Attackers can craft malicious pickle files using ctypes.WinDLL to load kernel32.dll and execute arbitrary commands, bypassing sandbox protections and gadget chain detection.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "picklescan"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.33"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-184"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-18T14:44:46Z",
"nvd_published_at": "2026-06-17T17:16:41Z",
"severity": "CRITICAL"
},
"details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-4675-36f9-wf6r. This link is maintained to preserve external references.\n\n### Original Description\npicklescan before 0.0.33 fails to block the ctypes module, allowing attackers to achieve remote code execution by invoking direct syscalls and accessing raw memory. Attackers can craft malicious pickle files using ctypes.WinDLL to load kernel32.dll and execute arbitrary commands, bypassing sandbox protections and gadget chain detection.",
"id": "GHSA-7f79-rvx6-vxc4",
"modified": "2026-06-18T14:44:46Z",
"published": "2026-06-17T18:35:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-4675-36f9-wf6r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71323"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/picklescan-remote-code-execution-via-unblocked-ctypes-module"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "Duplicate Advisory: Picklescan does not block ctypes",
"withdrawn": "2026-06-18T14:44:46Z"
}
GHSA-7GGG-PVRF-458V
Vulnerability from github – Published: 2026-04-02 20:57 – Updated: 2026-05-06 02:38Summary
PIP_INDEX_URL and UV_INDEX_URL bypass host exec env sanitization and redirect Python package-index traffic
Current Maintainer Triage
- Status: narrow
- Normalized severity: high
- Assessment: v2026.3.28 still allows Python package-index env redirection through host exec, but scope should stay limited to approved or allowlisted package-management exec paths, not arbitrary remote execution.
Affected Packages / Versions
- Package:
openclaw(npm) - Latest published npm version:
2026.3.31 - Vulnerable version range:
<=2026.3.28 - Patched versions:
>= 2026.3.31 - First stable tag containing the fix:
v2026.3.31
Fix Commit(s)
7ae1bb0c7799fd0cbd2d4de7b0f5b8039837ab8d— 2026-03-31T09:53:32+09:00
OpenClaw thanks @nexrin for reporting.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.3.28"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.31"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41391"
],
"database_specific": {
"cwe_ids": [
"CWE-184",
"CWE-807"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-02T20:57:44Z",
"nvd_published_at": "2026-04-28T19:37:42Z",
"severity": "HIGH"
},
"details": "## Summary\n`PIP_INDEX_URL` and `UV_INDEX_URL` bypass host exec env sanitization and redirect Python package-index traffic\n\n## Current Maintainer Triage\n- Status: narrow\n- Normalized severity: high\n- Assessment: v2026.3.28 still allows Python package-index env redirection through host exec, but scope should stay limited to approved or allowlisted package-management exec paths, not arbitrary remote execution.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `\u003c=2026.3.28`\n- Patched versions: `\u003e= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `7ae1bb0c7799fd0cbd2d4de7b0f5b8039837ab8d` \u2014 2026-03-31T09:53:32+09:00\n\nOpenClaw thanks @nexrin for reporting.",
"id": "GHSA-7ggg-pvrf-458v",
"modified": "2026-05-06T02:38:56Z",
"published": "2026-04-02T20:57:44Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7ggg-pvrf-458v"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41391"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/7ae1bb0c7799fd0cbd2d4de7b0f5b8039837ab8d"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-environment-variable-bypass-in-package-index-url-handling"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: PIP_INDEX_URL and UV_INDEX_URL bypass host exec env sanitization and redirect Python package-index traffic"
}
GHSA-7JM4-F7VJ-6PCC
Vulnerability from github – Published: 2026-07-01 00:34 – Updated: 2026-07-01 00:34Picklescan before 0.0.25 fails to detect unsafe global functions in the Numpy library, allowing attackers to bypass static analysis and execute arbitrary code during deserialization. Attackers can craft malicious pickle files using numpy.testing._private.utils.runstring within the reduce method to import dangerous libraries like os and execute arbitrary OS commands when the pickle file is loaded.
{
"affected": [],
"aliases": [
"CVE-2025-71355"
],
"database_specific": {
"cwe_ids": [
"CWE-184"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-30T23:16:51Z",
"severity": "HIGH"
},
"details": "Picklescan before 0.0.25 fails to detect unsafe global functions in the Numpy library, allowing attackers to bypass static analysis and execute arbitrary code during deserialization. Attackers can craft malicious pickle files using numpy.testing._private.utils.runstring within the reduce method to import dangerous libraries like os and execute arbitrary OS commands when the pickle file is loaded.",
"id": "GHSA-7jm4-f7vj-6pcc",
"modified": "2026-07-01T00:34:01Z",
"published": "2026-07-01T00:34:01Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-fj43-3qmq-673f"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71355"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/picklescan-arbitrary-code-execution-via-unsafe-numpy-function-detection-bypass"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
Strategy: Input Validation
Do not rely exclusively on detecting disallowed inputs. There are too many variants to encode a character, especially when different environments are used, so there is a high likelihood of missing some variants. Only use detection of disallowed inputs as a mechanism for detecting suspicious activity. Ensure that you are using other protection mechanisms that only identify "good" input - such as lists of allowed inputs - and ensure that you are properly encoding your outputs.
CAPEC-120: Double Encoding
The adversary utilizes a repeating of the encoding process for a set of characters (that is, character encoding a character encoding of a character) to obfuscate the payload of a particular request. This may allow the adversary to bypass filters that attempt to detect illegal characters or strings, such as those that might be used in traversal or injection attacks. Filters may be able to catch illegal encoded strings, but may not catch doubly encoded strings. For example, a dot (.), often used in path traversal attacks and therefore often blocked by filters, could be URL encoded as %2E. However, many filters recognize this encoding and would still block the request. In a double encoding, the % in the above URL encoding would be encoded again as %25, resulting in %252E which some filters might not catch, but which could still be interpreted as a dot (.) by interpreters on the target.
CAPEC-15: Command Delimiters
An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
CAPEC-182: Flash Injection
An attacker tricks a victim to execute malicious flash content that executes commands or makes flash calls specified by the attacker. One example of this attack is cross-site flashing, an attacker controlled parameter to a reference call loads from content specified by the attacker.
CAPEC-3: Using Leading 'Ghost' Character Sequences to Bypass Input Filters
Some APIs will strip certain leading characters from a string of parameters. An adversary can intentionally introduce leading "ghost" characters (extra characters that don't affect the validity of the request at the API layer) that enable the input to pass the filters and therefore process the adversary's input. This occurs when the targeted API will accept input data in several syntactic forms and interpret it in the equivalent semantic way, while the filter does not take into account the full spectrum of the syntactic forms acceptable to the targeted API.
CAPEC-43: Exploiting Multiple Input Interpretation Layers
An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: <parser1> --> <input validator> --> <parser2>. In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.
CAPEC-6: Argument Injection
An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods.
CAPEC-71: Using Unicode Encoding to Bypass Validation Logic
An attacker may provide a Unicode string to a system component that is not Unicode aware and use that to circumvent the filter or cause the classifying mechanism to fail to properly understanding the request. That may allow the attacker to slip malicious data past the content filter and/or possibly cause the application to route the request incorrectly.
CAPEC-73: User-Controlled Filename
An attack of this type involves an adversary inserting malicious characters (such as a XSS redirection) into a filename, directly or indirectly that is then used by the target software to generate HTML text or other potentially executable content. Many websites rely on user-generated content and dynamically build resources like files, filenames, and URL links directly from user supplied data. In this attack pattern, the attacker uploads code that can execute in the client browser and/or redirect the client browser to a site that the attacker owns. All XSS attack payload variants can be used to pass and exploit these vulnerabilities.
CAPEC-85: AJAX Footprinting
This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system. While Ajax does not open up new vulnerabilities per se, it does optimize them from an attacker point of view. A common first step for an attacker is to footprint the target environment to understand what attacks will work. Since footprinting relies on enumeration, the conversational pattern of rapid, multiple requests and responses that are typical in Ajax applications enable an attacker to look for many vulnerabilities, well-known ports, network locations and so on. The knowledge gained through Ajax fingerprinting can be used to support other attacks, such as XSS.