CVE-2026-25593
HIGH8.4EPSS 0.02%OpenClaw vulnerable to Unauthenticated Local RCE via WebSocket config.apply
描述
### Summary An unauthenticated local client could use the Gateway WebSocket API to write config via `config.apply` and set unsafe `cliPath` values that were later used for command discovery, enabling command injection as the gateway user. ### Impact A local process on the same machine could execute arbitrary commands as the gateway process user. ### Details - `config.apply` accepted raw JSON and wrote it to disk after schema validation. - `cliPath` values were not constrained to safe executable names/paths. - Command discovery used a shell invocation when resolving executables. ### Mitigation Upgrade to a patched release. If projects cannot upgrade immediately, set `gateway.auth` and avoid custom `cliPath` values.
受影響套件(1)
- npm/openclawfrom 0, < 2026.1.20
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.4 | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |