Description
OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Versions prior to 0.5.1 have a logic flaw in `bashToolHasPermission()` inside `src/tools/BashTool/bashPermissions.ts`. When the sandbox auto-allow feature is active and no explicit deny rule is configured, the function returns an `allow` result immediately — before the path constraint filter (`checkPathConstraints`) is ever evaluated. This allows commands containing path traversal sequences (e.g., `../../../../../etc/passwd`) to bypass directory restrictions entirely. Version 0.5.1 contains a patch for the issue.
Published: 2026-04-20
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized file access via sandbox bypass
Action: Patch
AI Analysis

Impact

OpenClaude contains a logic flaw in the permission‑check function that causes the sandbox to return an allow result immediately when the auto‑allow feature is active and no explicit deny rule is set. This early‑exit occurs before the path constraint filter runs, allowing commands that include path traversal sequences such as ../../../../../etc/passwd to bypass directory restrictions. As a result, an attacker who controls the command input can access or execute files outside the intended sandbox boundary. The vulnerability is categorized as CWE‑22 (Path Traversal) and CWE‑284 (Improper Access Control).

Affected Systems

Gitlawb's OpenClaude prior to version 0.5.1 is affected. The issue surfaces when the sandbox auto‑allow feature is enabled without an explicit deny rule. Versions 0.5.1 and later contain a patch that addresses the early‑exit logic flaw.

Risk and Exploitability

The CVSS score of 8.4 marks this vulnerability as high severity. The EPSS score is less than 1% and it is not listed in the CISA KEV catalog. Exploitation requires local execution of the OpenClaude CLI with the auto‑allow feature enabled and without an explicit deny rule. If the tool is run with elevated privileges or as a service, the impact could extend beyond the current user, potentially affecting the entire system.

Generated by OpenCVE AI on April 21, 2026 at 23:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaude to version 0.5.1 or later
  • Disable the auto‑allow sandbox feature or configure explicit deny rules to enforce path constraints
  • Run OpenClaude only with the least privilege required and avoid elevated privileges

Generated by OpenCVE AI on April 21, 2026 at 23:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m6rx-7pvw-2f73 OpenClaude: Sandbox Bypass via Early-Exit Logic Flaw Allows Path Traversal
History

Thu, 23 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlawb:openclaude:*:*:*:*:*:*:*:*

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Gitlawb
Gitlawb openclaude
Vendors & Products Gitlawb
Gitlawb openclaude

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 23:30:00 +0000

Type Values Removed Values Added
Description OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Versions prior to 0.5.1 have a logic flaw in `bashToolHasPermission()` inside `src/tools/BashTool/bashPermissions.ts`. When the sandbox auto-allow feature is active and no explicit deny rule is configured, the function returns an `allow` result immediately — before the path constraint filter (`checkPathConstraints`) is ever evaluated. This allows commands containing path traversal sequences (e.g., `../../../../../etc/passwd`) to bypass directory restrictions entirely. Version 0.5.1 contains a patch for the issue.
Title OpenClaude has Sandbox Bypass via Early-Exit Logic Flaw that Allows Path Traversal
Weaknesses CWE-22
CWE-284
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

Gitlawb Openclaude
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T19:49:30.148Z

Reserved: 2026-04-03T20:09:02.826Z

Link: CVE-2026-35570

cve-icon Vulnrichment

Updated: 2026-04-21T16:02:02.535Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T00:16:28.877

Modified: 2026-04-23T18:37:09.777

Link: CVE-2026-35570

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:47:08Z

Weaknesses