Description
OpenClaw versions prior to commit 8aceaf5 contain a preflight validation bypass vulnerability in shell-bleed protection that allows attackers to execute blocked script content by using piped or complex command forms that the parser fails to recognize. Attackers can craft commands such as piped execution, command substitution, or subshell invocation to bypass the validateScriptFileForShellBleed() validation checks and execute arbitrary script content that would otherwise be blocked.
Published: 2026-04-02
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary execution of otherwise blocked script content
Action: Apply patch
AI Analysis

Impact

OpenClaw implements shell‑bleed protection that blocks execution of risky script fragments. A flaw in the preflight validation logic allows attackers to craft piped, substituted, or subshell commands that evade the validateScriptFileForShellBleed check, enabling the execution of script content that would normally be prevented. This results in arbitrary code execution within the application’s scripting engine, potentially compromising availability, confidentiality, and integrity.

Affected Systems

All installations of OpenClaw running a version before the commit identified by 8aceaf5d0f0ec552b75a792f7f0a3bfa5b091513 are vulnerable. The vulnerability affects the default Node.js implementation bundled with OpenClaw; any environment exposing the script analysis functionality is at risk. Upgrading to the mentioned commit or later releases resolves the issue.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, but the lack of an EPSS score and exclusion from KEV suggest limited evidence of active exploitation yet. The flaw can be leveraged by an attacker who can supply crafted command strings to the application, thus the likely attack vector is through application‑side script input. If the application processes user‑supplied command fragments, an attacker could trigger the bypass and execute arbitrary code.

Generated by OpenCVE AI on April 2, 2026 at 22:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update OpenClaw to the commit that contains the fix or to a later released version.
  • Verify that the shell‑bleed protection module is enabled and functioning in the application configuration.
  • Validate and sanitize any command strings entered by users to avoid complex piping or subshell usage.
  • Monitor logs for unexpected script execution attempts and review access controls around scripting features.

Generated by OpenCVE AI on April 2, 2026 at 22:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description OpenClaw versions prior to commit 8aceaf5 contain a preflight validation bypass vulnerability in shell-bleed protection that allows attackers to execute blocked script content by using piped or complex command forms that the parser fails to recognize. Attackers can craft commands such as piped execution, command substitution, or subshell invocation to bypass the validateScriptFileForShellBleed() validation checks and execute arbitrary script content that would otherwise be blocked.
Title OpenClaw - Shell-Bleed Protection Preflight Validation Bypass
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-184
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-03T13:00:31.471Z

Reserved: 2026-03-27T15:24:06.752Z

Link: CVE-2026-34425

cve-icon Vulnrichment

Updated: 2026-04-03T13:00:28.163Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-02T19:21:31.507

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-34425

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:16:55Z

Weaknesses