GHSA-5GJ7-JF77-Q2Q2

Vulnerability from github – Published: 2026-03-03 21:34 – Updated: 2026-03-30 13:21
VLAI
Summary
OpenClaw: safeBins static default trusted dirs allow writable-dir binary hijack (`jq`)
Details

Summary

In openclaw<=2026.2.23, safe-bin trust in allowlist mode relied on static default trusted directories that included package-manager paths (notably /opt/homebrew/bin and /usr/local/bin). When a same-name binary (for example jq) is placed in one of those trusted default directories, safe-bin evaluation can be satisfied and execute the attacker-controlled binary.

Impact

This is an exec allowlist safeBins policy bypass that can lead to command execution in the OpenClaw runtime context. Severity is set to Medium given the required ability to write into trusted host binary directories.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Vulnerable versions: <= 2026.2.23
  • Patched versions: >= 2026.2.24 (planned next npm release)
  • Latest published npm version at triage time (2026-02-24): 2026.2.23

Root Cause

  • Default safe-bin trusted directories included package-manager/user-managed paths.
  • Trust decision was directory-membership only for resolved executable paths.

Remediation

  • Restrict default safe-bin trusted directories to immutable system paths: /bin, /usr/bin.
  • Require explicit operator opt-in for package-manager/user paths via tools.exec.safeBinTrustedDirs.

Fix Commit(s)

  • b67e600bff696ff2ed9b470826590c0ce6b3bb0a

Release Process Note

patched_versions is pre-set to the planned next release (2026.2.24). Once npm release 2026.2.24 is published, this advisory should be ready for publish without additional version edits.

OpenClaw thanks @tdjackey for reporting.

Publication Update (2026-02-25)

openclaw@2026.2.24 is published on npm and contains the fix commit(s) listed above. This advisory now marks >= 2026.2.24 as patched.

Severity
5.7 (Medium)
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H
7.0 (High)
CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.2.23"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.2.24"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32009"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-426",
      "CWE-428",
      "CWE-829"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-03T21:34:45Z",
    "nvd_published_at": "2026-03-19T22:16:33Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nIn `openclaw\u003c=2026.2.23`, safe-bin trust in allowlist mode relied on static default trusted directories that included package-manager paths (notably `/opt/homebrew/bin` and `/usr/local/bin`).\nWhen a same-name binary (for example `jq`) is placed in one of those trusted default directories, safe-bin evaluation can be satisfied and execute the attacker-controlled binary.\n\n### Impact\nThis is an exec allowlist `safeBins` policy bypass that can lead to command execution in the OpenClaw runtime context.\nSeverity is set to Medium given the required ability to write into trusted host binary directories.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Vulnerable versions: `\u003c= 2026.2.23`\n- Patched versions: `\u003e= 2026.2.24` (planned next npm release)\n- Latest published npm version at triage time (2026-02-24): `2026.2.23`\n\n### Root Cause\n- Default safe-bin trusted directories included package-manager/user-managed paths.\n- Trust decision was directory-membership only for resolved executable paths.\n\n### Remediation\n- Restrict default safe-bin trusted directories to immutable system paths: `/bin`, `/usr/bin`.\n- Require explicit operator opt-in for package-manager/user paths via `tools.exec.safeBinTrustedDirs`.\n\n### Fix Commit(s)\n- `b67e600bff696ff2ed9b470826590c0ce6b3bb0a`\n\n### Release Process Note\n`patched_versions` is pre-set to the planned next release (`2026.2.24`).\nOnce npm release `2026.2.24` is published, this advisory should be ready for publish without additional version edits.\n\nOpenClaw thanks @tdjackey for reporting.\n\n\n### Publication Update (2026-02-25)\n`openclaw@2026.2.24` is published on npm and contains the fix commit(s) listed above. This advisory now marks `\u003e= 2026.2.24` as patched.",
  "id": "GHSA-5gj7-jf77-q2q2",
  "modified": "2026-03-30T13:21:53Z",
  "published": "2026-03-03T21:34:45Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-5gj7-jf77-q2q2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32009"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/b67e600bff696ff2ed9b470826590c0ce6b3bb0a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-binary-hijacking-via-static-default-trusted-directories-in-safebins"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: safeBins static default trusted dirs allow writable-dir binary hijack (`jq`)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.