GHSA-2cq5-mf3v-mx44

Details

Summary

busybox and toybox applet execution weakened exec approval binding.

Affected Packages / Versions

Package: openclaw
Ecosystem: npm
Affected versions: >= 2026.2.23 < 2026.4.12
Patched versions: >= 2026.4.12

Impact

Opaque multi-call binaries such as busybox and toybox could obscure which applet or script-like behavior would actually run, weakening exec approval binding and risk classification.

Technical Details

The fix treats busybox and toybox as opaque mutable script runners and fails closed rather than binding unsafe applet invocations.

Fix

The issue was fixed in #65713. The first stable tag containing the fix is v2026.4.12, and openclaw@2026.4.14 includes the fix.

Fix Commit(s)

666f48d9b882a8a1415ca53f9567c72499d850c9
PR: #65713

Release Process Note

Users should upgrade to openclaw 2026.4.12 or newer. The latest npm release, 2026.4.14, already includes the fix.

Credits

Thanks to @decsecre583 for reporting this issue.

Affected Packages

openclaw

npm

Fixed in:

2026.4.12

References

ADVISORY

https://github.com/advisories/GHSA-2cq5-mf3v-mx44

PACKAGE

https://github.com/openclaw/openclaw

WEB

https://github.com/openclaw/openclaw/commit/666f48d9b882a8a1415ca53f9567c72499d850c9

WEB

https://github.com/openclaw/openclaw/pull/65713

WEB

https://github.com/openclaw/openclaw/security/advisories/GHSA-2cq5-mf3v-mx44