GHSA-G2F6-PWVX-R275
Vulnerability from github – Published: 2026-03-16 20:41 – Updated: 2026-03-16 20:41Summary
openclaw versions <= 2026.3.12 accepted unsanitized iMessage remote attachment paths when staging files over SCP, allowing shell metacharacters in the remote path operand.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
<= 2026.3.12 - Fixed version:
2026.3.13
Details
The vulnerable path was the remote attachment staging flow in src/auto-reply/reply/stage-sandbox-media.ts. When ctx.MediaRemoteHost was set, OpenClaw staged the attachment by spawning /usr/bin/scp against <remoteHost>:<remotePath>. In affected releases, the remote host was normalized but the remote attachment path was not validated for shell metacharacters before being passed to the SCP remote operand. A sender-controlled iMessage attachment filename containing shell metacharacters could therefore trigger command execution on the configured remote host when remote attachment staging was enabled.
This issue is in scope under OpenClaw's trust model because it crosses an inbound content boundary into host command execution on a configured remote attachment host.
Fix
openclaw@2026.3.13 validates the SCP remote path before spawning scp. Current code calls normalizeScpRemotePath(...) and rejects paths containing shell metacharacters instead of passing them through to the remote shell.
Regression coverage exists in src/auto-reply/reply.stage-sandbox-media.scp-remote-path.test.ts (rejects remote attachment filenames with shell metacharacters before spawning scp).
Fix Commit(s)
a54bf71b4c0cbe554a84340b773df37ee8e959de
Thanks @lintsinghua for reporting.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.3.12"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.13"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-78"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-16T20:41:12Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n`openclaw` versions `\u003c= 2026.3.12` accepted unsanitized iMessage remote attachment paths when staging files over SCP, allowing shell metacharacters in the remote path operand.\n\n### Affected Packages / Versions\n- Package: `openclaw` (`npm`)\n- Affected versions: `\u003c= 2026.3.12`\n- Fixed version: `2026.3.13`\n\n### Details\nThe vulnerable path was the remote attachment staging flow in `src/auto-reply/reply/stage-sandbox-media.ts`. When `ctx.MediaRemoteHost` was set, OpenClaw staged the attachment by spawning `/usr/bin/scp` against `\u003cremoteHost\u003e:\u003cremotePath\u003e`. In affected releases, the remote host was normalized but the remote attachment path was not validated for shell metacharacters before being passed to the SCP remote operand. A sender-controlled iMessage attachment filename containing shell metacharacters could therefore trigger command execution on the configured remote host when remote attachment staging was enabled.\n\nThis issue is in scope under OpenClaw\u0027s trust model because it crosses an inbound content boundary into host command execution on a configured remote attachment host.\n\n### Fix\n`openclaw@2026.3.13` validates the SCP remote path before spawning `scp`. Current code calls `normalizeScpRemotePath(...)` and rejects paths containing shell metacharacters instead of passing them through to the remote shell.\n\nRegression coverage exists in `src/auto-reply/reply.stage-sandbox-media.scp-remote-path.test.ts` (`rejects remote attachment filenames with shell metacharacters before spawning scp`).\n\n### Fix Commit(s)\n- `a54bf71b4c0cbe554a84340b773df37ee8e959de`\n\nThanks @lintsinghua for reporting.",
"id": "GHSA-g2f6-pwvx-r275",
"modified": "2026-03-16T20:41:12Z",
"published": "2026-03-16T20:41:12Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g2f6-pwvx-r275"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/a54bf71b4c0cbe554a84340b773df37ee8e959de"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "OpneClaw accepts unsanitized iMessage attachment paths which allowed SCP remote-path command injection"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.