CVE-2026-39398 — MEDIUM | AI Threat Alert

Q: Is CVE-2026-39398 actively exploited?

No confirmed active exploitation of CVE-2026-39398 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-39398?

1. Upgrade to v1.1.1 immediately — the fix switches from `--allowed-tools ""` to `--tools ""`. If v1.1.1 is still listed as affected in your scanner per the package metadata, target the patched version listed as 2.0.0. 2. If immediate upgrade is blocked, manually edit `dist/cli-bridge.js` to replace `--allowed-tools` with `--tools`. 3. Update environment variable references from `CLAUDE_ALLOWED_TOOLS` to `CLAUDE_TOOLS` per the v1.1.1 rename. 4. Audit all deployments for untrusted prompt input exposure — any surface forwarding external content, web-fetched context, or agent tool results to the bridge should have compensating controls regardless of claimed sandboxing. 5. Review compliance documentation or control inventories that cited `--allowed-tools` as a technical sandbox control and update accordingly. 6. Monitor Claude Code CLI changelogs for behavioral changes to tool handling in --print mode, as these would directly affect exploitability.

Q: What systems are affected by CVE-2026-39398?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, automated pipelines, model serving, LLM orchestration layers.

Q: What is the CVSS score for CVE-2026-39398?

No CVSS score has been assigned yet.

CISO Take

openclaw-claude-bridge v1.1.0 ships a false security guarantee: it invokes Claude Code CLI with `--allowed-tools ""` and documents this as disabling all tools, but `--allowed-tools` is an auto-approve allowlist — not a tool restriction. The correct sandboxing flag is `--tools ""`. Any deployment forwarding untrusted prompts through an exposed OpenClaw gateway or automated pipeline is operating without the sandbox it believes is in place, meaning Read/Write/Bash/WebFetch tools remain nominally available to the subprocess. This is not in CISA KEV and there is no confirmed active exploitation, but the attack surface is meaningful for teams running this bridge in agentic pipelines where indirect prompt injection is a realistic threat vector. Upgrade to v1.1.1 immediately (or manually patch `dist/cli-bridge.js`), and audit any prompt-forwarding surface for untrusted input exposure.

Sources: GitHub Advisory NVD ATLAS

What is the risk?

Medium risk with contextual elevation depending on deployment posture. The vulnerability is a misconfigured CLI flag that creates a false sense of security rather than an immediately confirmed RCE path — actual tool execution depends on undocumented Claude Code CLI behavior in --print mode, which may auto-deny tool calls. The real danger is architectural: organizations that deployed the bridge behind public-facing gateways or automated pipelines with external data ingestion believed they had sandboxing that does not exist. If Claude Code CLI behavior changes in a future release to auto-allow tools in --print mode, this becomes a direct path to arbitrary Read/Write/Bash execution within the gateway's process context. The presence of 38 prior CVEs in the same package warrants additional scrutiny of the overall codebase security posture.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
claude-code	npm	—	No patch
124.2K Pushed 7d ago 36% patched ~0d to patch Full package profile →
openclaw-claude-bridge	npm	<= 1.1.1	`2.0.0`
4 dependents 91% patched ~0d to patch Full package profile →

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

6 steps

Upgrade to v1.1.1 immediately — the fix switches from --allowed-tools "" to --tools "". If v1.1.1 is still listed as affected in your scanner per the package metadata, target the patched version listed as 2.0.0.
If immediate upgrade is blocked, manually edit dist/cli-bridge.js to replace --allowed-tools with --tools.
Update environment variable references from CLAUDE_ALLOWED_TOOLS to CLAUDE_TOOLS per the v1.1.1 rename.
Audit all deployments for untrusted prompt input exposure — any surface forwarding external content, web-fetched context, or agent tool results to the bridge should have compensating controls regardless of claimed sandboxing.
Review compliance documentation or control inventories that cited --allowed-tools as a technical sandbox control and update accordingly.
Monitor Claude Code CLI changelogs for behavioral changes to tool handling in --print mode, as these would directly affect exploitability.

Classification

Code Execution Auth Bypass Prompt Injection Agent Plugin AML.T0010.001 - AI Software AML.T0049 - Exploit Public-Facing Application AML.T0051.001 - Indirect AML.T0053 - AI Agent Tool Invocation

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.6.2.3 - AI system security controls

NIST AI RMF

GOVERN 1.2 - Policies and processes for AI risk management

OWASP LLM Top 10

LLM01 - Prompt Injection LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-39398?

openclaw-claude-bridge v1.1.0 ships a false security guarantee: it invokes Claude Code CLI with `--allowed-tools ""` and documents this as disabling all tools, but `--allowed-tools` is an auto-approve allowlist — not a tool restriction. The correct sandboxing flag is `--tools ""`. Any deployment forwarding untrusted prompts through an exposed OpenClaw gateway or automated pipeline is operating without the sandbox it believes is in place, meaning Read/Write/Bash/WebFetch tools remain nominally available to the subprocess. This is not in CISA KEV and there is no confirmed active exploitation, but the attack surface is meaningful for teams running this bridge in agentic pipelines where indirect prompt injection is a realistic threat vector. Upgrade to v1.1.1 immediately (or manually patch `dist/cli-bridge.js`), and audit any prompt-forwarding surface for untrusted input exposure.

Is CVE-2026-39398 actively exploited?

No confirmed active exploitation of CVE-2026-39398 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-39398?

1. Upgrade to v1.1.1 immediately — the fix switches from `--allowed-tools ""` to `--tools ""`. If v1.1.1 is still listed as affected in your scanner per the package metadata, target the patched version listed as 2.0.0. 2. If immediate upgrade is blocked, manually edit `dist/cli-bridge.js` to replace `--allowed-tools` with `--tools`. 3. Update environment variable references from `CLAUDE_ALLOWED_TOOLS` to `CLAUDE_TOOLS` per the v1.1.1 rename. 4. Audit all deployments for untrusted prompt input exposure — any surface forwarding external content, web-fetched context, or agent tool results to the bridge should have compensating controls regardless of claimed sandboxing. 5. Review compliance documentation or control inventories that cited `--allowed-tools` as a technical sandbox control and update accordingly. 6. Monitor Claude Code CLI changelogs for behavioral changes to tool handling in --print mode, as these would directly affect exploitability.

What systems are affected by CVE-2026-39398?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, automated pipelines, model serving, LLM orchestration layers.

What is the CVSS score for CVE-2026-39398?

No CVSS score has been assigned yet.

Technical Details

NVD Description

## Affected openclaw-claude-bridge v1.1.0 ## Issue v1.1.0 spawns the Claude Code CLI subprocess with `--allowed-tools ""` and the release notes + README claim this **"disables all CLI tools"** for sandboxing. This claim is incorrect. Per the Claude Code CLI documentation, `--allowed-tools` (alias `--allowedTools`) is an **auto-approve allowlist** of tools that execute without permission prompts — NOT a restriction on which tools are available. The correct flag to restrict the available tool set is `--tools`: > `--tools <tools...>` Specify the list of available tools from the built-in set. **Use `""` to disable all tools**, `"default"` to use all tools, or specify tool names (e.g. `"Bash,Edit,Read"`). ## Impact - All CLI tools (Read/Write/Bash/WebFetch/...) remain nominally available to the spawned subprocess. - Actual execution behavior in `--print` non-interactive mode depends on undocumented CLI defaults (may auto-deny, may error out, may hang). - Users who deploy the bridge behind any interface that forwards untrusted prompts (e.g., publicly exposed OpenClaw gateway, automated pipelines with web-fetched context, agents that consume tool results from other systems) may be relying on a sandbox that does not exist. The README explicitly makes a security claim the code does not uphold, creating a false sense of safety for downstream operators. If the underlying CLI behavior changes in a future version to auto-allow tools in `--print` mode, prompt-injection attacks could trigger arbitrary Read/Write/Bash operations in the gateway's process context. ## Patches Fixed in [v1.1.1](https://github.com/SeaL773/openclaw-claude-bridge/releases/tag/v1.1.1) (commit 8a296f5) by switching to `--tools ""`. The environment variable was also renamed from `CLAUDE_ALLOWED_TOOLS` to `CLAUDE_TOOLS` to match the flag. ## Workarounds Setting `CLAUDE_ALLOWED_TOOLS` on v1.1.0 has no mitigating effect. Upgrade to v1.1.1 or manually edit `dist/cli-bridge.js` to replace `--allowed-tools` with `--tools`. ## References - Fix: https://github.com/SeaL773/openclaw-claude-bridge/commit/8a296f5 - v1.1.1 notes: https://github.com/SeaL773/openclaw-claude-bridge/releases/tag/v1.1.1 - Claude Code CLI reference: https://docs.claude.com/en/docs/claude-code/cli-reference ## Credit Found during a second-round code review.

Exploitation Scenario

An adversary targets an organization running openclaw-claude-bridge v1.1.0 behind a publicly accessible OpenClaw gateway for an internal AI assistant. The operator believes CLI tools are disabled and has applied no additional input filtering. The adversary submits a prompt containing an indirect injection payload — embedded in a web page the assistant is asked to summarize, or in a document processed by an upstream agent. The payload instructs the Claude Code subprocess to invoke the Bash or Read tool to exfiltrate configuration files or credentials stored in the gateway's process environment. Because `--allowed-tools ""` does not restrict tool availability, the tools are nominally present. If current or future Claude Code CLI --print mode behavior permits tool execution without interactive approval, the adversary achieves arbitrary Read/Write/Bash access within the gateway's process context, enabling credential theft or lateral movement into backend infrastructure.