CVE-2026-27486

描述

## Summary OpenClaw CLI process cleanup used system-wide process enumeration and pattern matching to terminate processes without verifying they were owned by the current OpenClaw process. On shared hosts, unrelated processes could be terminated if they matched the pattern. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected: `< 2026.2.14` (including the latest published version `2026.2.13`) - Fixed: `2026.2.14` (planned next release) ## Details The CLI runner cleanup helpers could kill processes matched by command-line patterns without validating process ownership. ## Fix Process cleanup is now scoped to owned processes only by filtering to direct child PIDs of the current process (`ppid == process.pid`) before sending signals. Hardening follow-ups: - Prefer graceful termination for resume cleanup (`SIGTERM`, then `SIGKILL` fallback). - Reduce false negatives from `ps` argv truncation by preferring wide output (`ps -axww`) with a fallback. - Tighten command-line token matching to avoid substring matches. ## Fix Commit(s) - 6084d13b956119e3cf95daaf9a1cae1670ea3557 - eb60e2e1b213740c3c587a7ba4dbf10da620ca66 ## Release Process Note This advisory is pre-set with patched version `2026.2.14`. After `2026.2.14` is published to npm, the remaining step should be to publish this advisory. Thanks @aether-ai-agent for reporting.

受影響套件(1)

• npm/openclawfrom 0, < 2026.2.14

CVSS 分數

參考連結(6)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-27486
• PATCHhttps://github.com/openclaw/openclaw
• WEBhttps://github.com/openclaw/openclaw/commit/6084d13b956119e3cf95daaf9a1cae1670ea3557
• WEBhttps://github.com/openclaw/openclaw/commit/eb60e2e1b213740c3c587a7ba4dbf10da620ca66
• WEBhttps://github.com/openclaw/openclaw/releases/tag/v2026.2.14
• WEBhttps://github.com/openclaw/openclaw/security/advisories/GHSA-jfv4-h8mc-jcp8