Description
@rtk-ai/rtk-rewrite transparently rewrites shell commands executed via OpenClaw's exec tool to their RTK equivalents. In 1.0.0, the @rtk-ai/rtk-rewrite OpenClaw plugin passes attacker-controlled input directly into a shell-backed execSync() template string without shell-safe escaping. JSON.stringify() wraps the value in double quotes and escapes inner double-quotes and backslashes, but leaves $() and backtick shell metacharacters untouched. Because execSync delegates execution to /bin/sh -c, the shell expands $(...) substitutions even inside double-quoted strings, causing the injected subcommand to execute before rtk is invoked. An attacker who can influence the exec tool's command parameter (e.g., via an LLM agent prompt or gateway/tool-call input) achieves arbitrary OS command execution with the privileges of the plugin/gateway process.
Published: 2026-06-23
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a command injection flaw that occurs when the @rtk-ai/rtk-rewrite plugin forwards attacker‑controlled input into a shell‑backed execSync template string. Because the shell expands $() and backtick expressions inside double‑quoted strings, an attacker can cause arbitrary OS commands to run before the intended RTK operation, giving them the privileges of the gateway or plugin process.

Affected Systems

The affected component is the @rtk-ai/rtk-rewrite OpenClaw plugin bundled with rtk‑ai:rtk. Version 1.0.0 of the plugin is known to contain this flaw, and any OpenClaw deployment that includes this version is vulnerable.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate risk, and the exploit probability score is not currently available. The vulnerability is not listed in CISA’s KEV catalog. An attacker who can influence the exec tool’s command parameter—such as through an LLM agent prompt or gateway/tool‑call input—can trigger the flaw and execute any shell command with the privileges of the running process.

Generated by OpenCVE AI on June 24, 2026 at 10:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest @rtk-ai/rtk release that implements the execSync input sanitization fix.
  • If a patch is not yet available, remove or tightly restrict any user input that feeds into the exec tool’s command parameter to eliminate shell metacharacters such as $ , ` , or |.
  • Replace the execSync call with a safer execution strategy that does not invoke /bin/sh, for example by passing an argument array to child_process.execFile or by explicitly escaping user input before passing it to the shell.

Generated by OpenCVE AI on June 24, 2026 at 10:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description @rtk-ai/rtk-rewrite transparently rewrites shell commands executed via OpenClaw's exec tool to their RTK equivalents. In 1.0.0, the @rtk-ai/rtk-rewrite OpenClaw plugin passes attacker-controlled input directly into a shell-backed execSync() template string without shell-safe escaping. JSON.stringify() wraps the value in double quotes and escapes inner double-quotes and backslashes, but leaves $() and backtick shell metacharacters untouched. Because execSync delegates execution to /bin/sh -c, the shell expands $(...) substitutions even inside double-quoted strings, causing the injected subcommand to execute before rtk is invoked. An attacker who can influence the exec tool's command parameter (e.g., via an LLM agent prompt or gateway/tool-call input) achieves arbitrary OS command execution with the privileges of the plugin/gateway process.
Title @rtk-ai/rtk-rewrite: OpenClaw Rewrite Plugin Command Injection via execSync Template String
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T18:53:41.611Z

Reserved: 2026-06-16T16:44:00.625Z

Link: CVE-2026-55249

cve-icon Vulnrichment

Updated: 2026-06-23T18:53:34.218Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T10:15:05Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')