CVE-2026-32032

HIGH7.8EPSS 0.02%

OpenClaw's shell env fallback trusts unvalidated SHELL path from host environment

發布日:2026/3/3修改日:2026/3/25

描述

The shell environment fallback path could invoke an attacker-controlled shell when `SHELL` was inherited from an untrusted host environment. In affected builds, shell-env loading used `$SHELL -l -c 'env -0'` without validating that `SHELL` points to a trusted executable. In threat-model terms, this requires local environment compromise or untrusted startup environment injection first; it is not a remote pre-auth path. The hardening patch validates `SHELL` as an absolute normalized executable, prefers `/etc/shells`, applies trusted-prefix fallback checks, and falls back safely to `/bin/sh` when validation fails. The dangerous env-var policy now also blocks `SHELL` overrides. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.2.21-2` - Latest published vulnerable version: `2026.2.21-2` - Patched versions (planned next release): `>= 2026.2.22` ## Fix Commit(s) - `25e89cc86338ef475d26be043aa541dfdb95e52a` ## Release Process Note The advisory pre-sets `patched_versions` to the planned next release (`2026.2.22`). After that npm release is published, maintainers can publish this advisory without further version-field edits. OpenClaw thanks @athuljayaram for reporting.

受影響套件(1)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 4.0CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
osvCVSS 3.1HIGH7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

參考連結(5)