Skip to main content

AI / ML CVE-2026-39398

MEDIUM
Incorrect Default Permissions (CWE-276)
2026-04-08 https://github.com/SeaL773/openclaw-claude-bridge GHSA-7853-gqqm-vcwx
Share

Lifecycle Timeline

3
Analysis Generated
Apr 08, 2026 - 00:30 vuln.today
Patch released
Apr 08, 2026 - 00:30 nvd
Patch available
CVE Published
Apr 08, 2026 - 00:16 nvd
MEDIUM

DescriptionCVE.org

Affected

openclaw-claude-bridge v1.1.0

Issue

v1.1.0 spawns the Claude Code CLI subprocess with --allowed-tools "" and the release notes + README claim this "disables all CLI tools" for sandboxing. This claim is incorrect.

Per the Claude Code CLI documentation, --allowed-tools (alias --allowedTools) is an auto-approve allowlist of tools that execute without permission prompts - NOT a restriction on which tools are available. The correct flag to restrict the available tool set is --tools:

> --tools <tools...> Specify the list of available tools from the built-in set. Use "" to disable all tools, "default" to use all tools, or specify tool names (e.g. "Bash,Edit,Read").

Impact

  • All CLI tools (Read/Write/Bash/WebFetch/...) remain nominally available to the spawned subprocess.
  • Actual execution behavior in --print non-interactive mode depends on undocumented CLI defaults (may auto-deny, may error out, may hang).
  • Users who deploy the bridge behind any interface that forwards untrusted prompts (e.g., publicly exposed OpenClaw gateway, automated pipelines with web-fetched context, agents that consume tool results from other systems) may be relying on a sandbox that does not exist.

The README explicitly makes a security claim the code does not uphold, creating a false sense of safety for downstream operators. If the underlying CLI behavior changes in a future version to auto-allow tools in --print mode, prompt-injection attacks could trigger arbitrary Read/Write/Bash operations in the gateway's process context.

Patches

Fixed in v1.1.1 (commit 8a296f5) by switching to --tools "". The environment variable was also renamed from CLAUDE_ALLOWED_TOOLS to CLAUDE_TOOLS to match the flag.

Workarounds

Setting CLAUDE_ALLOWED_TOOLS on v1.1.0 has no mitigating effect. Upgrade to v1.1.1 or manually edit dist/cli-bridge.js to replace --allowed-tools with --tools.

References

  • Fix: https://github.com/SeaL773/openclaw-claude-bridge/commit/8a296f5
  • v1.1.1 notes: https://github.com/SeaL773/openclaw-claude-bridge/releases/tag/v1.1.1
  • Claude Code CLI reference: https://docs.claude.com/en/docs/claude-code/cli-reference

Credit

Found during a second-round code review.

AnalysisAI

openclaw-claude-bridge v1.1.0 incorrectly disables CLI tool access by passing --allowed-tools "" to the Claude Code subprocess, when the correct flag to disable tools is --tools. The --allowed-tools flag only controls which tools auto-approve without prompts; all CLI tools (Read, Write, Bash, WebFetch, etc.) remain nominally available. Users deploying the bridge to handle untrusted prompts or in gateway contexts may unknowingly operate without the sandboxing protections claimed in the README, exposing systems to prompt-injection attacks that could trigger arbitrary code execution in the process context. Vendor-released patch: v1.1.1 (commit 8a296f5).

Technical ContextAI

The openclaw-claude-bridge (npm package pkg:npm/openclaw-claude-bridge) wraps the Claude Code CLI by spawning a subprocess with configuration flags. The vulnerability stems from a misunderstanding of Claude Code CLI's command-line interface: the --allowed-tools flag (per official documentation) specifies an auto-approve allowlist for tool execution without permission prompts, while the --tools flag controls which tools from the built-in set are actually available. The bridge's v1.1.0 passes --allowed-tools "" believing this disables all tools, but per the Claude Code CLI reference documentation, the correct incantation is --tools "" to disable tools entirely. The underlying issue is CWE-276 (Incorrect Default Permissions), as the code makes a security claim (README documentation) that does not match the actual implementation behavior. The root cause is reliance on incorrect understanding of a dependency's API contract.

RemediationAI

Vendor-released patch: upgrade to openclaw-claude-bridge v1.1.1 or later (commit 8a296f5), which corrects the subprocess invocation to use --tools "" instead of --allowed-tools "" and renames the environment variable from CLAUDE_ALLOWED_TOOLS to CLAUDE_TOOLS. For users unable to upgrade immediately, manually edit the dist/cli-bridge.js file to replace the --allowed-tools flag with --tools. Setting the CLAUDE_ALLOWED_TOOLS environment variable on v1.1.0 has no mitigating effect and should not be relied upon. Refer to the patch commit and v1.1.1 release notes at https://github.com/SeaL773/openclaw-claude-bridge/releases/tag/v1.1.1 and the GitHub security advisory at https://github.com/advisories/GHSA-7853-gqqm-vcwx.

CVE-2026-23744 CRITICAL POC
9.8 Jan 16

MCPJam Inspector versions 1.4.2 and earlier allow unauthenticated remote code execution through missing authentication i

CVE-2024-8859 HIGH POC
7.5 Mar 20

A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. Rated high severity (CVSS 7.5), this vulnerabilit

CVE-2026-27966 CRITICAL POC
9.8 Feb 26

Code injection in Langflow CSV Agent node before 1.8.0. The node hardcodes allow_dangerous_code=True, enabling arbitrary

CVE-2026-0770 CRITICAL POC
9.8 Jan 23

Langflow has a third RCE vulnerability via exec_globals (EPSS 10.0%) allowing inclusion of untrusted code that executes

CVE-2026-27597 CRITICAL POC
10.0 Feb 25

Sandbox escape in Enclave JavaScript sandbox before 2.11.1. Enclave is designed for safe AI agent code execution — the e

CVE-2026-22686 CRITICAL POC
10.0 Jan 14

enclave-vm JavaScript sandbox (before 2.7.0) has a critical sandbox escape. When a tool invocation fails, a host-side Er

CVE-2025-2828 CRITICAL POC
10.0 Jun 23

A remote code execution vulnerability in langchain-ai/langchain (CVSS 10.0). Risk factors: public PoC available. Vendor

CVE-2026-1470 CRITICAL POC
9.9 Jan 27

n8n has a fifth critical RCE vulnerability (CVSS 9.9) in the Expression evaluator, enabling code execution through craft

CVE-2026-24770 CRITICAL POC
9.8 Jan 27

Path traversal vulnerability in RAGFlow RAG engine version 0.23.1 allows unauthenticated attackers to read arbitrary fil

CVE-2026-22688 CRITICAL POC
9.9 Jan 10

WeKnora LLM framework (before 0.2.5) allows authenticated users to inject MCP stdio commands that the server executes as

CVE-2026-30861 CRITICAL POC
9.9 Mar 07

OS command injection in WeKnora from version 0.2.5 allows authenticated users to execute arbitrary system commands. CVSS

CVE-2026-29042 CRITICAL POC
9.8 Mar 06

Shell command injection in Nuclio serverless framework before 1.15.20. PoC and patch available.

Share

CVE-2026-39398 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy