Severity by source
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Lifecycle Timeline
7DescriptionGitHub Advisory
OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Versions prior to 0.5.1 have a logic flaw in bashToolHasPermission() inside src/tools/BashTool/bashPermissions.ts. When the sandbox auto-allow feature is active and no explicit deny rule is configured, the function returns an allow result immediately - before the path constraint filter (checkPathConstraints) is ever evaluated. This allows commands containing path traversal sequences (e.g., ../../../../../etc/passwd) to bypass directory restrictions entirely. Version 0.5.1 contains a patch for the issue.
AnalysisAI
Path traversal in OpenClaude CLI versions before 0.5.1 allows local authenticated users to bypass sandbox directory restrictions and access arbitrary filesystem paths. A logic flaw in the bash permission handler causes path constraint checks to be skipped when sandbox auto-allow is enabled without explicit deny rules, permitting traversal sequences like '../../../etc/passwd' to escape containment boundaries. EPSS score of 0.01% indicates low probability of widespread exploitation, and no active exploitation has been reported.
Technical ContextAI
OpenClaude is a command-line coding agent that integrates with cloud and local AI model providers. The vulnerability exists in the BashTool permission validation logic (bashToolHasPermission function in src/tools/BashTool/bashPermissions.ts). This is a classic CWE-22 path traversal flaw caused by improper control flow: when the sandbox auto-allow feature is active and no explicit deny rules are configured, the function short-circuits with an allow decision before invoking checkPathConstraints() - the filter responsible for validating path boundaries. This allows relative path sequences (../) to traverse outside intended directory constraints, potentially accessing sensitive system files or data that should be isolated from the AI agent's execution context. The local attack vector (AV:L) indicates exploitation requires existing access to the system running OpenClaude, while the changed scope (S:C) reflects that the vulnerability enables escaping the sandboxed execution environment.
RemediationAI
Upgrade to OpenClaude version 0.5.1 or later, which contains a fix for the permission validation logic flaw (commit 7002cb302b78ea2a19da3f26226de24e2903fa1d at https://github.com/Gitlawb/openclaude/commit/7002cb302b78ea2a19da3f26226de24e2903fa1d). If immediate upgrade is not feasible, implement compensating controls: (1) Disable the sandbox auto-allow feature and define explicit allow rules for required paths only - this forces path constraint validation on all operations but requires manual configuration overhead. (2) Configure explicit deny rules for sensitive filesystem locations (/etc, /root, credential stores) to trigger path checks even with auto-allow enabled - this adds defense-in-depth but does not address the root logic flaw. (3) Run OpenClaude processes under dedicated low-privilege service accounts with filesystem ACLs restricting access to only required directories - this limits blast radius but adds operational complexity. Note that workarounds do not eliminate the vulnerability and should be considered temporary until patching.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23988
GHSA-m6rx-7pvw-2f73