GHSA-FF98-W8HJ-QRXF
Vulnerability from github – Published: 2026-03-03 21:39 – Updated: 2026-03-03 21:39
VLAI
Summary
OpenClaw plugin runtime command execution is part of trusted plugin boundary
Details
Summary
OpenClaw plugins/extensions run in-process and are treated as trusted code. This advisory tracks trust-boundary clarification around plugin runtime command execution (runtime.system.runCommandWithTimeout).
Impact
Plugins already execute with the same OS privileges as the OpenClaw process. Exposing runtime command helpers does not cross an additional sandbox boundary.
Affected Packages / Versions
- Package:
openclaw(npm) - Latest published version reviewed:
2026.2.17 - Affected range for this advisory record:
<= 2026.2.17 - Planned patched version metadata:
2026.2.19(next release line)
Fix Commit(s)
2e421f32dfc589c02706265fd3c3137ffc06c4b1
Remediation
- Install only trusted plugins.
- Use
plugins.allowto pin explicit trusted plugin IDs. - SECURITY.md now explicitly documents that plugin runtime helpers are convenience APIs, not a sandbox boundary.
OpenClaw thanks @markmusson for reporting.
Severity
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.19"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-78"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-03T21:39:26Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\nOpenClaw plugins/extensions run in-process and are treated as trusted code. This advisory tracks trust-boundary clarification around plugin runtime command execution (`runtime.system.runCommandWithTimeout`).\n\n### Impact\nPlugins already execute with the same OS privileges as the OpenClaw process. Exposing runtime command helpers does not cross an additional sandbox boundary.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published version reviewed: `2026.2.17`\n- Affected range for this advisory record: `\u003c= 2026.2.17`\n- Planned patched version metadata: `2026.2.19` (next release line)\n\n### Fix Commit(s)\n- `2e421f32dfc589c02706265fd3c3137ffc06c4b1`\n\n### Remediation\n- Install only trusted plugins.\n- Use `plugins.allow` to pin explicit trusted plugin IDs.\n- SECURITY.md now explicitly documents that plugin runtime helpers are convenience APIs, not a sandbox boundary.\n\nOpenClaw thanks @markmusson for reporting.",
"id": "GHSA-ff98-w8hj-qrxf",
"modified": "2026-03-03T21:39:26Z",
"published": "2026-03-03T21:39:26Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-ff98-w8hj-qrxf"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/2e421f32dfc589c02706265fd3c3137ffc06c4b1"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw plugin runtime command execution is part of trusted plugin boundary"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…