AI Threat Alert AI Threat Alert

CVE-2026-39398: openclaw-claude-bridge: sandbox bypass exposes CLI tools

GHSA-7853-gqqm-vcwx MEDIUM
Published April 8, 2026
CISO Take

openclaw-claude-bridge v1.1.0 ships a false security guarantee: it invokes Claude Code CLI with `--allowed-tools ""` and documents this as disabling all tools, but `--allowed-tools` is an auto-approve allowlist — not a tool restriction. The correct sandboxing flag is `--tools ""`. Any deployment forwarding untrusted prompts through an exposed OpenClaw gateway or automated pipeline is operating without the sandbox it believes is in place, meaning Read/Write/Bash/WebFetch tools remain nominally available to the subprocess. This is not in CISA KEV and there is no confirmed active exploitation, but the attack surface is meaningful for teams running this bridge in agentic pipelines where indirect prompt injection is a realistic threat vector. Upgrade to v1.1.1 immediately (or manually patch `dist/cli-bridge.js`), and audit any prompt-forwarding surface for untrusted input exposure.

Sources: GitHub Advisory NVD ATLAS

Risk Assessment

Medium risk with contextual elevation depending on deployment posture. The vulnerability is a misconfigured CLI flag that creates a false sense of security rather than an immediately confirmed RCE path — actual tool execution depends on undocumented Claude Code CLI behavior in --print mode, which may auto-deny tool calls. The real danger is architectural: organizations that deployed the bridge behind public-facing gateways or automated pipelines with external data ingestion believed they had sandboxing that does not exist. If Claude Code CLI behavior changes in a future release to auto-allow tools in --print mode, this becomes a direct path to arbitrary Read/Write/Bash execution within the gateway's process context. The presence of 38 prior CVEs in the same package warrants additional scrutiny of the overall codebase security posture.

Affected Systems

Package Ecosystem Vulnerable Range Patched
claude-code npm No patch
openclaw-claude-bridge npm <= 1.1.1 2.0.0

Severity & Risk

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

Recommended Action

  1. Upgrade to v1.1.1 immediately — the fix switches from `--allowed-tools ""` to `--tools ""`. If v1.1.1 is still listed as affected in your scanner per the package metadata, target the patched version listed as 2.0.0.
  2. If immediate upgrade is blocked, manually edit `dist/cli-bridge.js` to replace `--allowed-tools` with `--tools`.
  3. Update environment variable references from `CLAUDE_ALLOWED_TOOLS` to `CLAUDE_TOOLS` per the v1.1.1 rename.
  4. Audit all deployments for untrusted prompt input exposure — any surface forwarding external content, web-fetched context, or agent tool results to the bridge should have compensating controls regardless of claimed sandboxing.
  5. Review compliance documentation or control inventories that cited `--allowed-tools` as a technical sandbox control and update accordingly.
  6. Monitor Claude Code CLI changelogs for behavioral changes to tool handling in --print mode, as these would directly affect exploitability.

Classification

Code Execution Auth Bypass Prompt Injection Agent Plugin AML.T0010.001 AML.T0049 AML.T0051.001 AML.T0053

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 9 - Risk management system
ISO 42001
A.6.2.3 - AI system security controls
NIST AI RMF
GOVERN 1.2 - Policies and processes for AI risk management
OWASP LLM Top 10
LLM01 - Prompt Injection LLM06 - Excessive Agency

Technical Details

NVD Description

## Affected openclaw-claude-bridge v1.1.0 ## Issue v1.1.0 spawns the Claude Code CLI subprocess with `--allowed-tools ""` and the release notes + README claim this **"disables all CLI tools"** for sandboxing. This claim is incorrect. Per the Claude Code CLI documentation, `--allowed-tools` (alias `--allowedTools`) is an **auto-approve allowlist** of tools that execute without permission prompts — NOT a restriction on which tools are available. The correct flag to restrict the available tool set is `--tools`: > `--tools <tools...>` Specify the list of available tools from the built-in set. **Use `""` to disable all tools**, `"default"` to use all tools, or specify tool names (e.g. `"Bash,Edit,Read"`). ## Impact - All CLI tools (Read/Write/Bash/WebFetch/...) remain nominally available to the spawned subprocess. - Actual execution behavior in `--print` non-interactive mode depends on undocumented CLI defaults (may auto-deny, may error out, may hang). - Users who deploy the bridge behind any interface that forwards untrusted prompts (e.g., publicly exposed OpenClaw gateway, automated pipelines with web-fetched context, agents that consume tool results from other systems) may be relying on a sandbox that does not exist. The README explicitly makes a security claim the code does not uphold, creating a false sense of safety for downstream operators. If the underlying CLI behavior changes in a future version to auto-allow tools in `--print` mode, prompt-injection attacks could trigger arbitrary Read/Write/Bash operations in the gateway's process context. ## Patches Fixed in [v1.1.1](https://github.com/SeaL773/openclaw-claude-bridge/releases/tag/v1.1.1) (commit 8a296f5) by switching to `--tools ""`. The environment variable was also renamed from `CLAUDE_ALLOWED_TOOLS` to `CLAUDE_TOOLS` to match the flag. ## Workarounds Setting `CLAUDE_ALLOWED_TOOLS` on v1.1.0 has no mitigating effect. Upgrade to v1.1.1 or manually edit `dist/cli-bridge.js` to replace `--allowed-tools` with `--tools`. ## References - Fix: https://github.com/SeaL773/openclaw-claude-bridge/commit/8a296f5 - v1.1.1 notes: https://github.com/SeaL773/openclaw-claude-bridge/releases/tag/v1.1.1 - Claude Code CLI reference: https://docs.claude.com/en/docs/claude-code/cli-reference ## Credit Found during a second-round code review.

Exploitation Scenario

An adversary targets an organization running openclaw-claude-bridge v1.1.0 behind a publicly accessible OpenClaw gateway for an internal AI assistant. The operator believes CLI tools are disabled and has applied no additional input filtering. The adversary submits a prompt containing an indirect injection payload — embedded in a web page the assistant is asked to summarize, or in a document processed by an upstream agent. The payload instructs the Claude Code subprocess to invoke the Bash or Read tool to exfiltrate configuration files or credentials stored in the gateway's process environment. Because `--allowed-tools ""` does not restrict tool availability, the tools are nominally present. If current or future Claude Code CLI --print mode behavior permits tool execution without interactive approval, the adversary achieves arbitrary Read/Write/Bash access within the gateway's process context, enabling credential theft or lateral movement into backend infrastructure.

Weaknesses (CWE)

CWE-1188 Initialization of a Resource with an Insecure Default Primary CWE-276 Incorrect Default Permissions Primary

References

Timeline

Published
April 8, 2026
Last Modified
April 8, 2026
First Seen
April 8, 2026

Related Vulnerabilities

HIGH CVE-2026-35020 8.4

Claude Code CLI: OS command injection via TERMINAL env

Same package: claude-code
CRITICAL CVE-2025-59528 10.0

Flowise: Unauthenticated RCE via MCP config injection

Same attack type: Code Execution
CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same attack type: Auth Bypass
CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same attack type: Auth Bypass
CRITICAL CVE-2025-5120 10.0

smolagents: sandbox escape enables unauthenticated RCE

Same attack type: Code Execution
Back to Threat Feed