Publish Advisories

GHSA-g75x-8qqm-2vxp
GHSA-q6qf-4p5j-r25g

Author: advisory-database[bot]

advisories/github-reviewed/2026/03/GHSA-g75x-8qqm-2vxp/GHSA-g75x-8qqm-2vxp.json

@@ -1,17 +1,21 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-g75x-8qqm-2vxp",
-  "modified": "2026-03-19T22:21:28Z",
+  "modified": "2026-03-30T13:26:17Z",
   "published": "2026-03-03T22:08:26Z",
   "aliases": [
     "CVE-2026-32015"
   ],
   "summary": "OpenClaw's `tools.exec.safeBins` PATH-hijack allowed trojan binaries to bypass allowlist checks",
   "details": "## Summary\n\n`tools.exec.safeBins` allowlist checks could be bypassed by PATH-hijacked binaries, allowing execution of attacker-controlled trojan binaries under an allowlisted executable name.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Latest published version at triage time: `2026.2.17`\n- Affected range: `>= 2026.1.21 < 2026.2.18`\n- Patched version: `2026.2.19`\n\n## Impact\n\nIn allowlist mode, `safeBins` validation previously accepted a resolved executable path based on executable name and argument shape, without enforcing trusted executable directories. If an attacker could influence process PATH resolution before gateway startup (or otherwise control the gateway launch environment), a trojan binary with an allowlisted name (for example `jq`) could be executed.\n\n## Severity Rationale\n\nThis issue is rated `medium` because exploitation requires an additional precondition: influencing the gateway process PATH / launch environment. Request-scoped PATH injection is blocked for host execution.\n\n## Fix\n\n`safeBins` now requires the resolved executable path to come from trusted bin directories (system defaults plus gateway startup PATH), closing the bypass.\n\n## Fix Commit(s)\n\n- 28bac46c92069dc728524fbf383024c1b64e5c23\n\nOpenClaw thanks @jackhax for reporting.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    },
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
+      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
     }
   ],
   "affected": [
@@ -40,13 +44,21 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g75x-8qqm-2vxp"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32015"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/commit/28bac46c92069dc728524fbf383024c1b64e5c23"
     },
     {
       "type": "PACKAGE",
       "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-path-hijacking-bypass-in-tools-exec-safebins-allowlist-validation"
     }
   ],
   "database_specific": {
@@ -57,6 +69,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-03T22:08:26Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-19T22:16:34Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-q6qf-4p5j-r25g/GHSA-q6qf-4p5j-r25g.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-q6qf-4p5j-r25g",
-  "modified": "2026-03-20T21:14:03Z",
+  "modified": "2026-03-30T13:26:46Z",
   "published": "2026-03-04T19:13:48Z",
   "aliases": [
     "CVE-2026-32002"
@@ -15,7 +15,7 @@
     },
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
     }
   ],
   "affected": [