CVE-2026-26325

描述

## Summary A mismatch between `rawCommand` and `command[]` in the node host `system.run` handler could cause allowlist/approval evaluation to be performed on one command while executing a different argv. ## Affected Configurations This only impacts deployments that: - Use the node host / companion node execution path (`system.run` on a node). - Enable allowlist-based exec policy (`security=allowlist`) with approval prompting driven by allowlist misses (for example `ask=on-miss`). - Allow an attacker to invoke `system.run`. Default/non-node configurations are not affected. ## Impact In affected configurations, an attacker who can invoke `system.run` can bypass allowlist enforcement and approval prompts by supplying an allowlisted `rawCommand` while providing a different `command[]` argv for execution. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.2.13` - Patched version: `>= 2026.2.14` (planned next release) ## Fix Enforce `rawCommand`/`command[]` consistency (gateway fail-fast + node host validation). ## Fix Commit(s) - cb3290fca32593956638f161d9776266b90ab891 ## Release Process Note This advisory pre-sets the patched version to the planned next release (`2026.2.14`). Once `[email protected]` is published to npm, the advisory can be published without further edits. Thanks @christos-eth for reporting.

受影響套件(1)

• npm/openclawfrom 0, < 2026.2.14

CVSS 分數

參考連結(5)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-26325
• PATCHhttps://github.com/openclaw/openclaw
• WEBhttps://github.com/openclaw/openclaw/commit/cb3290fca32593956638f161d9776266b90ab891
• WEBhttps://github.com/openclaw/openclaw/releases/tag/v2026.2.14
• WEBhttps://github.com/openclaw/openclaw/security/advisories/GHSA-h3f9-mjwj-w476