CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-34425

CVE-2026-34425: Validation Bypass in OpenClaw Shell-Bleed Protection

Amit Schendel
Amit Schendel
Senior Security Researcher

Apr 7, 2026·5 min read·24 visits

Executive Summary (TL;DR)

A fail-open logic flaw in OpenClaw's preflight script validator allows attackers to bypass 'Shell-Bleed' protections using complex shell syntax, enabling execution of unvalidated script content.

OpenClaw versions prior to commit 8aceaf5d0f0ec552b75a792f7f0a3bfa5b091513 contain a validation bypass vulnerability in the preflight script execution checker. The fail-open design of the command parser allows malicious shell syntax to evade detection and execute arbitrary code. The patch implements a robust, fail-closed command tokenizer.

Vulnerability Overview

CVE-2026-34425 is a vulnerability in the OpenClaw execution script preflight validation mechanism. This component enforces "Shell-Bleed" protection, a security control intended to prevent shell-specific syntax from executing inside interpreters like Python or Node.js.

The vulnerability is classified as CWE-184: Incomplete List of Disallowed Inputs. The primary validation routine implemented a fail-open design pattern relying on a limited, regex-based parser. When the parser encountered command structures it could not identify, it permitted the execution sequence to proceed without applying the requisite content checks.

Attackers exploit this logic flaw by supplying obfuscated or complex command string structures. These structures successfully mask the script path from the preflight check while remaining valid inputs for the underlying operating system shell. The system consequently executes malicious script content that the Shell-Bleed protection is designed to block.

Root Cause Analysis

The root cause resides in the extractScriptTargetFromCommand function utilized by the OpenClaw preflight validator. This function employed a naive regular expression engine designed to match highly specific, simplistic command formats.

The parser successfully identified standard invocation patterns, such as python script.py or node script.js. However, it lacked the grammatical awareness required to parse complex shell features, variable assignments, or environment wrappers. If a provided command deviated from the rigid regex patterns, the function failed to extract the target script path.

Compounding this parsing deficiency was the validator's fail-open execution policy. Upon failing to extract a script path, the validator erroneously concluded that the command did not execute a script. It subsequently skipped all content-inspection routines and passed the unvalidated command directly to the execution engine.

The architectural failure flow is illustrated below:

Code Analysis

The remediation introduced in commit 8aceaf5d0f0ec552b75a792f7f0a3bfa5b091513 replaces the regex-based parsing model with a comprehensive command-line tokenizer. This tokenizer correctly processes double quotes, escape characters, and complex command shapes.

The patch introduces dedicated logic to identify and strip common execution wrappers. The new implementation specifically targets utilities like /usr/bin/env and leading environment variable assignments that previously obscured the interpreter invocation from the validator.

// Vulnerable Implementation (Abstract)
function extractScriptTargetFromCommand(command) {
  // Flaw 1: Naive regex fails on quotes or wrappers
  const match = command.match(/^(python|node)\s+([^\s]+)$/);
  if (!match) {
    // Flaw 2: Fail-open return null skips validation
    return null;
  }
  return match[2];
}

The developers also implemented a strict fail-closed security model. If the tokenizer encounters ambiguous syntax, pipe operators, redirects, or unrecognized shell structures, the validator immediately halts the execution pipeline. This prevents unexpected shell behaviors from bypassing the preflight checks.

// Patched Implementation (Abstract)
function extractScriptTargetFromCommandSecure(command) {
  const tokens = robustTokenizer(command);
  
  if (detectComplexShell(tokens)) {
    // Fix: Fail-closed on pipes, subshells, redirects
    throw new Error("Disallowed shell syntax detected");
  }
  
  const normalizedTokens = stripEnvWrappers(tokens);
  return extractScriptTarget(normalizedTokens);
}

Exploitation Methodology

Exploiting CVE-2026-34425 requires the attacker to submit a command string that circumvents the extractScriptTargetFromCommand regex while retaining functional validity in the host shell environment. The attacker does not require direct system access, provided they can supply input to the OpenClaw agent.

The simplest exploitation vector involves quoting the target script path. Supplying node "malicious.js" caused the original parser to fail, as the regex did not account for quotation marks. The fail-open logic then executed the file without validating its contents.

More advanced exploitation leverages environment wrappers and shell-specific features. Attackers can utilize commands such as env python malicious.py or cat malicious.py | python. These inputs mask the interpreter from the naive parser, allowing malicious variable injection or disallowed script content to execute unrestricted.

Exploitation can also leverage complex interpreter flags. Providing Node.js flags like --require or --import instructs the interpreter to load unvalidated external code, effectively bypassing the content inspection applied to the primary script.

Impact Assessment

Successful exploitation of this vulnerability permits the execution of arbitrary script content within the context of the OpenClaw agent. The severity is quantified by a CVSS v3.1 score of 5.4 and a CVSS v4.0 score of 5.3, denoting a Medium severity impact.

The attack vector is strictly network-based, requiring low privileges and no user interaction. The primary impact is categorized under limited confidentiality and integrity loss, as the attacker achieves execution within the operational bounds of the agent process.

Current exploitation maturity remains low, evidenced by an EPSS score of 0.00048. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. However, the trivial nature of the bypass necessitates prompt remediation for publicly exposed or multi-tenant agent instances.

Remediation Guidance

The primary remediation strategy is upgrading OpenClaw to a version containing commit 8aceaf5d0f0ec552b75a792f7f0a3bfa5b091513. This update fundamentally redesigns the parsing architecture and enforces a strict fail-closed validation policy.

Organizations unable to immediately apply the patch must implement strict input sanitization prior to the OpenClaw execution phase. Operators should reject any input containing quotation marks, pipe operators, subshell syntax, or environment modification commands at the application edge.

System administrators should restrict the capabilities of the shell environment utilized by the OpenClaw agent. Implementing robust sandboxing, limiting access to environment variables, and utilizing restricted shells mitigates the impact of potential bypasses.

Developers must audit all automated agents utilizing OpenClaw for instances where complex or ambiguous shell invocations are explicitly required, as the updated fail-closed tokenizer may introduce benign breakages for previously accepted complex commands.

Official Patches

OpenClawFix Commit
OpenClawGitHub Security Advisory

Fix Analysis (1)

Technical Appendix

CVSS Score
5.4/ 10
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
EPSS Probability
0.05%
Top 85% most exploited

Affected Systems

OpenClaw (npm) preflight validation mechanismOpenClaw Shell-Bleed protection modules

Affected Versions Detail

Product
Affected Versions
Fixed Version
OpenClaw
OpenClaw
Prior to commit 8aceaf5d0f0ec552b75a792f7f0a3bfa5b091513Commit 8aceaf5
AttributeDetail
CWE IDCWE-184
Attack VectorNetwork
CVSS v3.15.4
CVSS v4.05.3
EPSS Score0.00048
KEV ListedFalse
Patch StatusPatched

MITRE ATT&CK Mapping

T1059Command and Scripting Interpreter
Execution
CWE-184
Incomplete List of Disallowed Inputs

The software does not fully enforce a list of disallowed inputs, allowing an attacker to submit input that bypasses intended validation routines.

Vulnerability Timeline

Vulnerability disclosed and patch released via GHSA-fvx6-pj3r-5q4q
2026-04-02
CVE-2026-34425 published to CVE.org
2026-04-02
NVD analysis completed and CVSS scores assigned
2026-04-03

References & Sources

  • [1]NVD Record CVE-2026-34425
  • [2]GHSA-fvx6-pj3r-5q4q Advisory
  • [3]Fix Commit 8aceaf5d0f0ec552b75a792f7f0a3bfa5b091513
  • [4]VulnCheck Advisory

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•30 minutes ago•CVE-2026-46599
7.5

CVE-2026-46599: Unrestricted Memory Allocation in golang.org/x/image/tiff PackBits Decoder

CVE-2026-46599 (also identified by Go vulnerability alias GO-2026-5032) is a high-severity denial-of-service vulnerability in the Go image repository, specifically within the TIFF decoder's PackBits decompression engine. A lack of resource limits during the parsing of Run-Length Encoded PackBits streams allows an attacker to construct a crafted TIFF image that achieves significant decompression amplification. This flaw enables an unauthenticated remote attacker to exhaust system resources, leading to an Out-of-Memory crash or a prolonged application hang.

Alon Barad
Alon Barad
2 views•7 min read
•3 days ago•CVE-2026-54269
5.3

CVE-2026-54269: Runtime Property Shadowing and Denial of Service in protobufjs

A property shadowing vulnerability exists in protobufjs where schema-derived names can collide with and overwrite runtime-critical internal helper properties. This issue leads to uncaught runtime exceptions and crash-based Denial of Service.

Alon Barad
Alon Barad
10 views•6 min read
•4 days ago•CVE-2025-6965
7.7

CVE-2025-6965: Remote Code Execution via Integer Truncation in SQLite Aggregate Parser

An integer truncation vulnerability (CWE-197) exists in SQLite before version 3.50.2 during the processing of aggregate queries with more than 32,767 distinct column references. This causes an internal 32-bit counter to truncate to a signed 16-bit integer, producing negative values that cause out-of-bounds heap operations in release builds.

Amit Schendel
Amit Schendel
18 views•6 min read
•5 days ago•CVE-2026-47291
9.8

CVE-2026-47291: Remote Code Execution in Windows HTTP.sys Kernel Driver

An integer overflow vulnerability in the Windows kernel-mode HTTP driver (HTTP.sys) allows an unauthenticated remote attacker to execute arbitrary code with kernel privileges or cause a Denial of Service via a specially crafted sequence of HTTP request headers.

Amit Schendel
Amit Schendel
31 views•8 min read
•5 days ago•CVE-2026-11822
7.8

CVE-2026-11822: Memory Corruption and Buffer Overflow in SQLite FTS5 Extension

A memory corruption vulnerability exists in the FTS5 (Full-Text Search 5) extension of SQLite prior to version 3.53.2. An attacker can construct a malicious database file containing corrupt FTS5 page data. Querying this database triggers out-of-bounds reads and heap-based buffer overflows, potentially causing a crash or arbitrary code execution.

Amit Schendel
Amit Schendel
11 views•5 min read
•5 days ago•CVE-2026-56350
6.3

CVE-2026-56350: SSO Enforcement Bypass in n8n via API Parameter Pollution / Mass Assignment

A mass assignment vulnerability (CWE-915) in n8n's self-service settings API endpoint (PATCH /me/settings) allows authenticated Single Sign-On (SSO) users to disable SSO enforcement for their accounts by injecting administrative parameters. This bypasses organizational identity provider controls and multi-factor authentication (MFA).

Amit Schendel
Amit Schendel
12 views•6 min read