Lucene search
K

10 matches found

RedhatCVE
RedhatCVE
added 2026/04/22 1:22 a.m.6 views

CVE-2026-35570

OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Versions prior to 0.5.1 have a logic flaw in bashToolHasPermission inside src/tools/BashTool/bashPermissions.ts. When the sandbox auto-allow feature is active and no explicit deny rule is...

8.4CVSS5.8AI score0.00232EPSS
Exploits2References1
Snyk
Snyk
added 2026/04/21 3:16 p.m.9 views

Access Control Bypass

Overview @gitlawb/openclaude is an OpenClaude opens coding-agent workflows to any LLM — OpenAI, Gemini, DeepSeek, Ollama, and 200+ models Affected versions of this package are vulnerable to Access Control Bypass via the bashToolHasPermission function. An attacker can access or modify files outsid...

8.4CVSS5.8AI score0.00232EPSS
Exploits2References3
EUVD
EUVD
added 2026/04/21 3:16 p.m.6 views

EUVD-2026-23988

OpenClaude: Sandbox Bypass via Early-Exit Logic Flaw Allows Path Traversal...

8.4CVSS5.7AI score0.00232EPSS
Exploits2References3
Github Security Blog
Github Security Blog
added 2026/04/21 3:16 p.m.9 views

OpenClaude: Sandbox Bypass via Early-Exit Logic Flaw Allows Path Traversal

A logic flaw exists in bashToolHasPermission inside src/tools/BashTool/bashPermissions.ts. When the sandbox auto-allow feature is active and no explicit deny rule is configured, the function returns an allow result immediately — before the path constraint filter checkPathConstraints is ever...

8.4CVSS5.9AI score0.00232EPSS
Exploits2References4Affected Software1
OSV
OSV
added 2026/04/21 3:16 p.m.5 views

GHSA-M6RX-7PVW-2F73 OpenClaude: Sandbox Bypass via Early-Exit Logic Flaw Allows Path Traversal

A logic flaw exists in bashToolHasPermission inside src/tools/BashTool/bashPermissions.ts. When the sandbox auto-allow feature is active and no explicit deny rule is configured, the function returns an allow result immediately — before the path constraint filter checkPathConstraints is ever...

8.4CVSS5.9AI score0.00232EPSS
Exploits2References4
NVD
NVD
added 2026/04/21 12:16 a.m.8 views

CVE-2026-35570

OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Versions prior to 0.5.1 have a logic flaw in bashToolHasPermission inside src/tools/BashTool/bashPermissions.ts. When the sandbox auto-allow feature is active and no explicit deny rule is...

8.4CVSS0.00232EPSS
Exploits2References2
ATTACKERKB
ATTACKERKB
added 2026/04/20 11:24 p.m.4 views

CVE-2026-35570

OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Versions prior to 0.5.1 have a logic flaw in bashToolHasPermission inside src/tools/BashTool/bashPermissions.ts. When the sandbox auto-allow feature is active and no explicit deny rule is...

8.4CVSS5.8AI score0.00232EPSS
Exploits2References3Affected Software1
Snyk
Snyk
added 2026/03/03 10:13 p.m.4 views

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization in the autoAllowSkills process. An attacker can execute unauthorized skills without operator approval by exploiting a skill-name collision when autoAllowSkills is...

7.3CVSS5.9AI score
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/03/03 10:13 p.m.16 views

OpenClaw's non-default autoAllowSkills setting could bypass on-miss exec prompt

Summary In openclaw versions up to and including 2026.2.22-2, a non-default exec-approval configuration could allow a skill-name collision to bypass an ask=on-miss prompt. When autoAllowSkills=true, a path-scoped executable such as ./skill-bin could resolve to basename skill-bin, satisfy the skil...

6AI score
Exploits0References3Affected Software1
OSV
OSV
added 2026/03/03 10:13 p.m.4 views

GHSA-7FF8-XJH3-MGH6 OpenClaw's non-default autoAllowSkills setting could bypass on-miss exec prompt

Summary In openclaw versions up to and including 2026.2.22-2, a non-default exec-approval configuration could allow a skill-name collision to bypass an ask=on-miss prompt. When autoAllowSkills=true, a path-scoped executable such as ./skill-bin could resolve to basename skill-bin, satisfy the skil...

7.3CVSS6AI score
Exploits0References3
Rows per page
Query Builder