GHSA-CQMH-PCGR-Q42F
Vulnerability from github – Published: 2026-05-06 23:23 – Updated: 2026-05-06 23:23
VLAI
Summary
@axonflow/openclaw fix introduces plugin cache and credential-file permission hardening
Details
Summary
Two related permission defects in this AxonFlow plugin allowed registration credentials and cache state to be readable by other local users on hosts where the calling user's home directory was at the conventional 0755 mode.
Affected versions
Versions 1.3.2 and below.
Impact
- Cache and config directory mode. The plugin's directories under
~/.config/axonflow/and~/.cache/axonflow/were created with the umask-derived default mode (often0755) on first use and not subsequently re-validated. On systems where~/.config/is itself0755, the plugin's registration record (including a hashed credential andinstance_id) was traversable by other local users. - Credential file mode at load time. The plugin loaded its
try-registration.jsoncredential file without validating that the file mode was0600. A registration file written by a misconfigured tool, copied across systems, or restored from backup could end up world-readable, and the plugin would silently use it.
The fix restores 0700 on all plugin directories on every plugin invocation (not only first creation) and refuses to load credential files with non-0600 modes.
Remediation
Upgrade to the patched plugin version listed under Vulnerabilities. On startup the plugin will repair existing directory modes; existing credential files with overly permissive modes will be refused, requiring the user to re-register or chmod 0600 the file.
Credit
Identified by AxonFlow internal security review.
Severity
5.5 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@axonflow/openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-552",
"CWE-732"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-06T23:23:25Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\nTwo related permission defects in this AxonFlow plugin allowed registration credentials and cache state to be readable by other local users on hosts where the calling user\u0027s home directory was at the conventional `0755` mode.\n\n## Affected versions\n\nVersions 1.3.2 and below.\n\n## Impact\n\n1. **Cache and config directory mode.** The plugin\u0027s directories under `~/.config/axonflow/` and `~/.cache/axonflow/` were created with the umask-derived default mode (often `0755`) on first use and not subsequently re-validated. On systems where `~/.config/` is itself `0755`, the plugin\u0027s registration record (including a hashed credential and `instance_id`) was traversable by other local users.\n2. **Credential file mode at load time.** The plugin loaded its `try-registration.json` credential file without validating that the file mode was `0600`. A registration file written by a misconfigured tool, copied across systems, or restored from backup could end up world-readable, and the plugin would silently use it.\n\nThe fix restores `0700` on all plugin directories on every plugin invocation (not only first creation) and refuses to load credential files with non-`0600` modes.\n\n## Remediation\n\nUpgrade to the patched plugin version listed under Vulnerabilities. On startup the plugin will repair existing directory modes; existing credential files with overly permissive modes will be refused, requiring the user to re-register or `chmod 0600` the file.\n\n## Credit\n\nIdentified by AxonFlow internal security review.",
"id": "GHSA-cqmh-pcgr-q42f",
"modified": "2026-05-06T23:23:25Z",
"published": "2026-05-06T23:23:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/getaxonflow/axonflow-openclaw-plugin/security/advisories/GHSA-cqmh-pcgr-q42f"
},
{
"type": "PACKAGE",
"url": "https://github.com/getaxonflow/axonflow-openclaw-plugin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "@axonflow/openclaw fix introduces plugin cache and credential-file permission hardening"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…