CVE-2026-32003
MEDIUM6.6EPSS 0.07%OpenClaw has system.run shell-wrapper env injection via SHELLOPTS/PS4 can bypass allowlist intent (RCE)
描述
### Summary `system.run` allowed `SHELLOPTS` + `PS4` environment injection to trigger command substitution during `bash -lc` xtrace expansion before the allowlisted command body executed. ### Affected Packages / Versions - Package: `openclaw` (npm) - Affected: `<= 2026.2.21-2` (includes latest published npm version at triage time) - Patched (planned next release): `2026.2.22` ### Impact In `allowlist` mode, an attacker who can invoke `system.run` with request-scoped `env` could execute additional shell commands outside the intended allowlisted command body. ### Root Cause Host exec env sanitization blocked startup-file vectors (`BASH_ENV`, `ENV`, etc.) but did not block `SHELLOPTS`/`PS4`. For shell wrappers (`bash|sh|zsh ... -c/-lc`), request env overrides were passed through and `bash` evaluated `PS4` under `xtrace`, enabling command substitution. ### Fix - Block `SHELLOPTS` and `PS4` in host exec env sanitizers (Node + macOS). - For shell wrappers (`bash|sh|zsh ... -c/-lc`), reduce request-scoped env overrides to an explicit allowlist (`TERM`, `LANG`, `LC_*`, `COLORTERM`, `NO_COLOR`, `FORCE_COLOR`). - Add regression tests for TS and macOS paths. ### Fix Commit(s) - `e80c803fa887f9699ad87a9e906ab5c1ff85bd9a` ### Release Process Note `patched_versions` is pre-set to the planned next release (`2026.2.22`). Once npm release `2026.2.22` is published, advisory publication is a final state action only. ### Severity Rationale This advisory is rated **medium** because exploitation requires a caller that can already invoke `system.run` with request-scoped `env`. Under OpenClaw's documented trust model (`SECURITY.md`), authenticated Gateway callers are treated as trusted operators, and adversarial multi-operator / prompt-injection scenarios are out of scope. The bug remains a real allowlist-intent bypass, but it does not cross a separate trust boundary in the documented deployment assumptions. OpenClaw thanks @tdjackey for reporting.
受影響套件(1)
- npm/openclawfrom 0, < 2026.2.22
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM6.6 | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H |
參考連結(5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-32003
- PATCHhttps://github.com/openclaw/openclaw
- WEBhttps://github.com/openclaw/openclaw/commit/e80c803fa887f9699ad87a9e906ab5c1ff85bd9a
- WEBhttps://github.com/openclaw/openclaw/security/advisories/GHSA-2fgq-7j6h-9rm4
- WEBhttps://www.vulncheck.com/advisories/openclaw-remote-code-execution-via-shellopts-ps4-environment-injection-in-system-run