GHSA-FF98-W8HJ-QRXF

Vulnerability from github – Published: 2026-03-03 21:39 – Updated: 2026-03-03 21:39
VLAI
Summary
OpenClaw plugin runtime command execution is part of trusted plugin boundary
Details

Summary

OpenClaw plugins/extensions run in-process and are treated as trusted code. This advisory tracks trust-boundary clarification around plugin runtime command execution (runtime.system.runCommandWithTimeout).

Impact

Plugins already execute with the same OS privileges as the OpenClaw process. Exposing runtime command helpers does not cross an additional sandbox boundary.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Latest published version reviewed: 2026.2.17
  • Affected range for this advisory record: <= 2026.2.17
  • Planned patched version metadata: 2026.2.19 (next release line)

Fix Commit(s)

  • 2e421f32dfc589c02706265fd3c3137ffc06c4b1

Remediation

  • Install only trusted plugins.
  • Use plugins.allow to pin explicit trusted plugin IDs.
  • SECURITY.md now explicitly documents that plugin runtime helpers are convenience APIs, not a sandbox boundary.

OpenClaw thanks @markmusson for reporting.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.2.19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-03T21:39:26Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nOpenClaw plugins/extensions run in-process and are treated as trusted code. This advisory tracks trust-boundary clarification around plugin runtime command execution (`runtime.system.runCommandWithTimeout`).\n\n### Impact\nPlugins already execute with the same OS privileges as the OpenClaw process. Exposing runtime command helpers does not cross an additional sandbox boundary.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published version reviewed: `2026.2.17`\n- Affected range for this advisory record: `\u003c= 2026.2.17`\n- Planned patched version metadata: `2026.2.19` (next release line)\n\n### Fix Commit(s)\n- `2e421f32dfc589c02706265fd3c3137ffc06c4b1`\n\n### Remediation\n- Install only trusted plugins.\n- Use `plugins.allow` to pin explicit trusted plugin IDs.\n- SECURITY.md now explicitly documents that plugin runtime helpers are convenience APIs, not a sandbox boundary.\n\nOpenClaw thanks @markmusson for reporting.",
  "id": "GHSA-ff98-w8hj-qrxf",
  "modified": "2026-03-03T21:39:26Z",
  "published": "2026-03-03T21:39:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-ff98-w8hj-qrxf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/2e421f32dfc589c02706265fd3c3137ffc06c4b1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw plugin runtime command execution is part of trusted plugin boundary"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…