Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-39398 (GCVE-0-2026-39398)
Vulnerability from cvelistv5 – Published: – Updated: 2026-04-09 15:39
VLAI?
EPSS
The affected product and advisory are not public.
Show details on NVD website{
"containers": {
"cna": {
"providerMetadata": {
"dateUpdated": "2026-04-09T15:39:34.293Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"rejectedReasons": [
{
"lang": "en",
"value": "The affected product and advisory are not public."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-39398",
"dateRejected": "2026-04-09T15:39:34.293Z",
"dateReserved": "2026-04-06T22:06:40.516Z",
"dateUpdated": "2026-04-09T15:39:34.293Z",
"state": "REJECTED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-39398\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-09T16:16:28.413\",\"lastModified\":\"2026-04-09T16:16:28.413\",\"vulnStatus\":\"Rejected\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Rejected reason: The affected product and advisory are not public.\"}],\"metrics\":{},\"references\":[]}}"
}
}
WID-SEC-W-2026-1005
Vulnerability from csaf_certbund - Published: 2026-04-07 22:00 - Updated: 2026-04-28 22:00Summary
OpenClaw: Mehrere Schwachstellen
Severity
Hoch
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: OpenClaw ist ein persönlicher KI-Assistent zur Ausführung auf eigenen Geräten.
Angriff: Ein Angreifer kann mehrere Schwachstellen in OpenClaw ausnutzen, um erweiterte Privilegien zu erlangen, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, Daten offenzulegen oder zu manipulieren oder andere, nicht näher spezifizierte Angriffe durchzuführen.
Betroffene Betriebssysteme: - Linux
- UNIX
References
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "OpenClaw ist ein pers\u00f6nlicher KI-Assistent zur Ausf\u00fchrung auf eigenen Ger\u00e4ten.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein Angreifer kann mehrere Schwachstellen in OpenClaw ausnutzen, um erweiterte Privilegien zu erlangen, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, Daten offenzulegen oder zu manipulieren oder andere, nicht n\u00e4her spezifizierte Angriffe durchzuf\u00fchren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux\n- UNIX",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2026-1005 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1005.json"
},
{
"category": "self",
"summary": "WID-SEC-2026-1005 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1005"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-cmfr-9m2r-xwhq vom 2026-04-07",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cmfr-9m2r-xwhq"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-67mf-f936-ppxf vom 2026-04-07",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-67mf-f936-ppxf"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-25wv-8phj-8p7r vom 2026-04-07",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-25wv-8phj-8p7r"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-3vvq-q2qc-7rmp vom 2026-04-07",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3vvq-q2qc-7rmp"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-5h3f-885m-v22w vom 2026-04-07",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-5h3f-885m-v22w"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-5wj5-87vq-39xm vom 2026-04-07",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-5wj5-87vq-39xm"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-68x5-xx89-w9mm vom 2026-04-07",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-68x5-xx89-w9mm"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-7437-7hg8-frrw vom 2026-04-07",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7437-7hg8-frrw"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-7853-gqqm-vcwx vom 2026-04-07",
"url": "https://github.com/advisories/GHSA-7853-gqqm-vcwx"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-83f3-hh45-vfw9 vom 2026-04-07",
"url": "https://github.com/advisories/GHSA-83f3-hh45-vfw9"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-ccx3-fw7q-rr2r vom 2026-04-07",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-ccx3-fw7q-rr2r"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-cm8v-2vh9-cxf3 vom 2026-04-07",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cm8v-2vh9-cxf3"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-jf56-mccx-5f3f vom 2026-04-07",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jf56-mccx-5f3f"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-q2gc-xjqw-qp89 vom 2026-04-07",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-q2gc-xjqw-qp89"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-qqq7-4hxc-x63c vom 2026-04-07",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qqq7-4hxc-x63c"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-vc32-h5mq-453v vom 2026-04-07",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vc32-h5mq-453v"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-vfw7-6rhc-6xxg vom 2026-04-07",
"url": "https://github.com/advisories/GHSA-vfw7-6rhc-6xxg"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-vr5g-mmx7-h897 vom 2026-04-07",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vr5g-mmx7-h897"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-w8g9-x8gx-crmm vom 2026-04-07",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w8g9-x8gx-crmm"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-w9j9-w4cp-6wgr vom 2026-04-07",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w9j9-w4cp-6wgr"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-whf9-3hcx-gq54 vom 2026-04-07",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-whf9-3hcx-gq54"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-wpc6-37g7-8q4w vom 2026-04-07",
"url": "https://github.com/advisories/GHSA-wpc6-37g7-8q4w"
}
],
"source_lang": "en-US",
"title": "OpenClaw: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2026-04-28T22:00:00.000+00:00",
"generator": {
"date": "2026-04-29T04:49:14.636+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.5.0"
}
},
"id": "WID-SEC-W-2026-1005",
"initial_release_date": "2026-04-07T22:00:00.000+00:00",
"revision_history": [
{
"date": "2026-04-07T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2026-04-20T22:00:00.000+00:00",
"number": "2",
"summary": "CVE erg\u00e4nzt"
},
{
"date": "2026-04-28T22:00:00.000+00:00",
"number": "3",
"summary": "CVE-Nummern erg\u00e4nzt"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c2026.4.8",
"product": {
"name": "Open Source OpenClaw \u003c2026.4.8",
"product_id": "T052515"
}
},
{
"category": "product_version",
"name": "2026.4.8",
"product": {
"name": "Open Source OpenClaw 2026.4.8",
"product_id": "T052515-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:openclaw:openclaw:2026.4.8"
}
}
}
],
"category": "product_name",
"name": "OpenClaw"
}
],
"category": "vendor",
"name": "Open Source"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-39398",
"product_status": {
"known_affected": [
"T052515"
]
},
"release_date": "2026-04-07T22:00:00.000+00:00",
"title": "CVE-2026-39398"
},
{
"cve": "CVE-2026-40045",
"product_status": {
"known_affected": [
"T052515"
]
},
"release_date": "2026-04-07T22:00:00.000+00:00",
"title": "CVE-2026-40045"
},
{
"cve": "CVE-2026-41384",
"product_status": {
"known_affected": [
"T052515"
]
},
"release_date": "2026-04-07T22:00:00.000+00:00",
"title": "CVE-2026-41384"
},
{
"cve": "CVE-2026-41392",
"product_status": {
"known_affected": [
"T052515"
]
},
"release_date": "2026-04-07T22:00:00.000+00:00",
"title": "CVE-2026-41392"
},
{
"cve": "CVE-2026-41910",
"product_status": {
"known_affected": [
"T052515"
]
},
"release_date": "2026-04-07T22:00:00.000+00:00",
"title": "CVE-2026-41910"
},
{
"cve": "CVE-2026-41912",
"product_status": {
"known_affected": [
"T052515"
]
},
"release_date": "2026-04-07T22:00:00.000+00:00",
"title": "CVE-2026-41912"
},
{
"cve": "CVE-2026-41913",
"product_status": {
"known_affected": [
"T052515"
]
},
"release_date": "2026-04-07T22:00:00.000+00:00",
"title": "CVE-2026-41913"
},
{
"cve": "CVE-2026-41915",
"product_status": {
"known_affected": [
"T052515"
]
},
"release_date": "2026-04-07T22:00:00.000+00:00",
"title": "CVE-2026-41915"
},
{
"cve": "CVE-2026-41916",
"product_status": {
"known_affected": [
"T052515"
]
},
"release_date": "2026-04-07T22:00:00.000+00:00",
"title": "CVE-2026-41916"
},
{
"cve": "CVE-2026-42420",
"product_status": {
"known_affected": [
"T052515"
]
},
"release_date": "2026-04-07T22:00:00.000+00:00",
"title": "CVE-2026-42420"
},
{
"cve": "CVE-2026-42421",
"product_status": {
"known_affected": [
"T052515"
]
},
"release_date": "2026-04-07T22:00:00.000+00:00",
"title": "CVE-2026-42421"
},
{
"cve": "CVE-2026-42422",
"product_status": {
"known_affected": [
"T052515"
]
},
"release_date": "2026-04-07T22:00:00.000+00:00",
"title": "CVE-2026-42422"
},
{
"cve": "CVE-2026-42423",
"product_status": {
"known_affected": [
"T052515"
]
},
"release_date": "2026-04-07T22:00:00.000+00:00",
"title": "CVE-2026-42423"
},
{
"cve": "CVE-2026-42424",
"product_status": {
"known_affected": [
"T052515"
]
},
"release_date": "2026-04-07T22:00:00.000+00:00",
"title": "CVE-2026-42424"
},
{
"cve": "CVE-2026-42426",
"product_status": {
"known_affected": [
"T052515"
]
},
"release_date": "2026-04-07T22:00:00.000+00:00",
"title": "CVE-2026-42426"
},
{
"cve": "CVE-2026-42427",
"product_status": {
"known_affected": [
"T052515"
]
},
"release_date": "2026-04-07T22:00:00.000+00:00",
"title": "CVE-2026-42427"
},
{
"cve": "CVE-2026-42428",
"product_status": {
"known_affected": [
"T052515"
]
},
"release_date": "2026-04-07T22:00:00.000+00:00",
"title": "CVE-2026-42428"
},
{
"cve": "CVE-2026-42430",
"product_status": {
"known_affected": [
"T052515"
]
},
"release_date": "2026-04-07T22:00:00.000+00:00",
"title": "CVE-2026-42430"
},
{
"cve": "CVE-2026-42431",
"product_status": {
"known_affected": [
"T052515"
]
},
"release_date": "2026-04-07T22:00:00.000+00:00",
"title": "CVE-2026-42431"
},
{
"cve": "CVE-2026-42432",
"product_status": {
"known_affected": [
"T052515"
]
},
"release_date": "2026-04-07T22:00:00.000+00:00",
"title": "CVE-2026-42432"
}
]
}
FKIE_CVE-2026-39398
Vulnerability from fkie_nvd - Published: 2026-04-09 16:16 - Updated: 2026-04-09 16:16
Severity ?
Summary
Rejected reason: The affected product and advisory are not public.
References
| URL | Tags |
|---|
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Rejected reason: The affected product and advisory are not public."
}
],
"id": "CVE-2026-39398",
"lastModified": "2026-04-09T16:16:28.413",
"metrics": {},
"published": "2026-04-09T16:16:28.413",
"references": [],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Rejected"
}
GHSA-7853-GQQM-VCWX
Vulnerability from github – Published: 2026-04-08 00:16 – Updated: 2026-04-08 00:16
VLAI?
Summary
openclaw-claude-bridge: sandbox is not effective - `--allowed-tools ""` does not restrict available tools
Details
Affected
openclaw-claude-bridge v1.1.0
Issue
v1.1.0 spawns the Claude Code CLI subprocess with --allowed-tools "" and the release notes + README claim this "disables all CLI tools" for sandboxing. This claim is incorrect.
Per the Claude Code CLI documentation, --allowed-tools (alias --allowedTools) is an auto-approve allowlist of tools that execute without permission prompts — NOT a restriction on which tools are available. The correct flag to restrict the available tool set is --tools:
--tools <tools...>Specify the list of available tools from the built-in set. Use""to disable all tools,"default"to use all tools, or specify tool names (e.g."Bash,Edit,Read").
Impact
- All CLI tools (Read/Write/Bash/WebFetch/...) remain nominally available to the spawned subprocess.
- Actual execution behavior in
--printnon-interactive mode depends on undocumented CLI defaults (may auto-deny, may error out, may hang). - Users who deploy the bridge behind any interface that forwards untrusted prompts (e.g., publicly exposed OpenClaw gateway, automated pipelines with web-fetched context, agents that consume tool results from other systems) may be relying on a sandbox that does not exist.
The README explicitly makes a security claim the code does not uphold, creating a false sense of safety for downstream operators. If the underlying CLI behavior changes in a future version to auto-allow tools in --print mode, prompt-injection attacks could trigger arbitrary Read/Write/Bash operations in the gateway's process context.
Patches
Fixed in v1.1.1 (commit 8a296f5) by switching to --tools "". The environment variable was also renamed from CLAUDE_ALLOWED_TOOLS to CLAUDE_TOOLS to match the flag.
Workarounds
Setting CLAUDE_ALLOWED_TOOLS on v1.1.0 has no mitigating effect. Upgrade to v1.1.1 or manually edit dist/cli-bridge.js to replace --allowed-tools with --tools.
References
- Fix: https://github.com/SeaL773/openclaw-claude-bridge/commit/8a296f5
- v1.1.1 notes: https://github.com/SeaL773/openclaw-claude-bridge/releases/tag/v1.1.1
- Claude Code CLI reference: https://docs.claude.com/en/docs/claude-code/cli-reference
Credit
Found during a second-round code review.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.1.1"
},
"package": {
"ecosystem": "npm",
"name": "openclaw-claude-bridge"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-39398"
],
"database_specific": {
"cwe_ids": [
"CWE-1188",
"CWE-276"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-08T00:16:09Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Affected\n\nopenclaw-claude-bridge v1.1.0\n\n## Issue\n\nv1.1.0 spawns the Claude Code CLI subprocess with `--allowed-tools \"\"` and the release notes + README claim this **\"disables all CLI tools\"** for sandboxing. This claim is incorrect.\n\nPer the Claude Code CLI documentation, `--allowed-tools` (alias `--allowedTools`) is an **auto-approve allowlist** of tools that execute without permission prompts \u2014 NOT a restriction on which tools are available. The correct flag to restrict the available tool set is `--tools`:\n\n\u003e `--tools \u003ctools...\u003e` Specify the list of available tools from the built-in set. **Use `\"\"` to disable all tools**, `\"default\"` to use all tools, or specify tool names (e.g. `\"Bash,Edit,Read\"`).\n\n## Impact\n\n- All CLI tools (Read/Write/Bash/WebFetch/...) remain nominally available to the spawned subprocess.\n- Actual execution behavior in `--print` non-interactive mode depends on undocumented CLI defaults (may auto-deny, may error out, may hang).\n- Users who deploy the bridge behind any interface that forwards untrusted prompts (e.g., publicly exposed OpenClaw gateway, automated pipelines with web-fetched context, agents that consume tool results from other systems) may be relying on a sandbox that does not exist.\n\nThe README explicitly makes a security claim the code does not uphold, creating a false sense of safety for downstream operators. If the underlying CLI behavior changes in a future version to auto-allow tools in `--print` mode, prompt-injection attacks could trigger arbitrary Read/Write/Bash operations in the gateway\u0027s process context.\n\n## Patches\n\nFixed in [v1.1.1](https://github.com/SeaL773/openclaw-claude-bridge/releases/tag/v1.1.1) (commit 8a296f5) by switching to `--tools \"\"`. The environment variable was also renamed from `CLAUDE_ALLOWED_TOOLS` to `CLAUDE_TOOLS` to match the flag.\n\n## Workarounds\n\nSetting `CLAUDE_ALLOWED_TOOLS` on v1.1.0 has no mitigating effect. Upgrade to v1.1.1 or manually edit `dist/cli-bridge.js` to replace `--allowed-tools` with `--tools`.\n\n## References\n\n- Fix: https://github.com/SeaL773/openclaw-claude-bridge/commit/8a296f5\n- v1.1.1 notes: https://github.com/SeaL773/openclaw-claude-bridge/releases/tag/v1.1.1\n- Claude Code CLI reference: https://docs.claude.com/en/docs/claude-code/cli-reference\n\n## Credit\n\nFound during a second-round code review.",
"id": "GHSA-7853-gqqm-vcwx",
"modified": "2026-04-08T00:16:09Z",
"published": "2026-04-08T00:16:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/SeaL773/openclaw-claude-bridge/security/advisories/GHSA-7853-gqqm-vcwx"
},
{
"type": "WEB",
"url": "https://github.com/SeaL773/openclaw-claude-bridge/commit/8a296f5"
},
{
"type": "PACKAGE",
"url": "https://github.com/SeaL773/openclaw-claude-bridge"
},
{
"type": "WEB",
"url": "https://github.com/SeaL773/openclaw-claude-bridge/releases/tag/v1.1.1"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "openclaw-claude-bridge: sandbox is not effective - `--allowed-tools \"\"` does not restrict available tools"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…