AI / ML CVE-2026-39398
MEDIUMLifecycle Timeline
3DescriptionCVE.org
Affected
openclaw-claude-bridge v1.1.0
Issue
v1.1.0 spawns the Claude Code CLI subprocess with --allowed-tools "" and the release notes + README claim this "disables all CLI tools" for sandboxing. This claim is incorrect.
Per the Claude Code CLI documentation, --allowed-tools (alias --allowedTools) is an auto-approve allowlist of tools that execute without permission prompts - NOT a restriction on which tools are available. The correct flag to restrict the available tool set is --tools:
> --tools <tools...> Specify the list of available tools from the built-in set. Use "" to disable all tools, "default" to use all tools, or specify tool names (e.g. "Bash,Edit,Read").
Impact
- All CLI tools (Read/Write/Bash/WebFetch/...) remain nominally available to the spawned subprocess.
- Actual execution behavior in
--printnon-interactive mode depends on undocumented CLI defaults (may auto-deny, may error out, may hang). - Users who deploy the bridge behind any interface that forwards untrusted prompts (e.g., publicly exposed OpenClaw gateway, automated pipelines with web-fetched context, agents that consume tool results from other systems) may be relying on a sandbox that does not exist.
The README explicitly makes a security claim the code does not uphold, creating a false sense of safety for downstream operators. If the underlying CLI behavior changes in a future version to auto-allow tools in --print mode, prompt-injection attacks could trigger arbitrary Read/Write/Bash operations in the gateway's process context.
Patches
Fixed in v1.1.1 (commit 8a296f5) by switching to --tools "". The environment variable was also renamed from CLAUDE_ALLOWED_TOOLS to CLAUDE_TOOLS to match the flag.
Workarounds
Setting CLAUDE_ALLOWED_TOOLS on v1.1.0 has no mitigating effect. Upgrade to v1.1.1 or manually edit dist/cli-bridge.js to replace --allowed-tools with --tools.
References
- Fix: https://github.com/SeaL773/openclaw-claude-bridge/commit/8a296f5
- v1.1.1 notes: https://github.com/SeaL773/openclaw-claude-bridge/releases/tag/v1.1.1
- Claude Code CLI reference: https://docs.claude.com/en/docs/claude-code/cli-reference
Credit
Found during a second-round code review.
AnalysisAI
openclaw-claude-bridge v1.1.0 incorrectly disables CLI tool access by passing --allowed-tools "" to the Claude Code subprocess, when the correct flag to disable tools is --tools. The --allowed-tools flag only controls which tools auto-approve without prompts; all CLI tools (Read, Write, Bash, WebFetch, etc.) remain nominally available. Users deploying the bridge to handle untrusted prompts or in gateway contexts may unknowingly operate without the sandboxing protections claimed in the README, exposing systems to prompt-injection attacks that could trigger arbitrary code execution in the process context. Vendor-released patch: v1.1.1 (commit 8a296f5).
Technical ContextAI
The openclaw-claude-bridge (npm package pkg:npm/openclaw-claude-bridge) wraps the Claude Code CLI by spawning a subprocess with configuration flags. The vulnerability stems from a misunderstanding of Claude Code CLI's command-line interface: the --allowed-tools flag (per official documentation) specifies an auto-approve allowlist for tool execution without permission prompts, while the --tools flag controls which tools from the built-in set are actually available. The bridge's v1.1.0 passes --allowed-tools "" believing this disables all tools, but per the Claude Code CLI reference documentation, the correct incantation is --tools "" to disable tools entirely. The underlying issue is CWE-276 (Incorrect Default Permissions), as the code makes a security claim (README documentation) that does not match the actual implementation behavior. The root cause is reliance on incorrect understanding of a dependency's API contract.
RemediationAI
Vendor-released patch: upgrade to openclaw-claude-bridge v1.1.1 or later (commit 8a296f5), which corrects the subprocess invocation to use --tools "" instead of --allowed-tools "" and renames the environment variable from CLAUDE_ALLOWED_TOOLS to CLAUDE_TOOLS. For users unable to upgrade immediately, manually edit the dist/cli-bridge.js file to replace the --allowed-tools flag with --tools. Setting the CLAUDE_ALLOWED_TOOLS environment variable on v1.1.0 has no mitigating effect and should not be relied upon. Refer to the patch commit and v1.1.1 release notes at https://github.com/SeaL773/openclaw-claude-bridge/releases/tag/v1.1.1 and the GitHub security advisory at https://github.com/advisories/GHSA-7853-gqqm-vcwx.
MCPJam Inspector versions 1.4.2 and earlier allow unauthenticated remote code execution through missing authentication i
A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. Rated high severity (CVSS 7.5), this vulnerabilit
Code injection in Langflow CSV Agent node before 1.8.0. The node hardcodes allow_dangerous_code=True, enabling arbitrary
Langflow has a third RCE vulnerability via exec_globals (EPSS 10.0%) allowing inclusion of untrusted code that executes
Sandbox escape in Enclave JavaScript sandbox before 2.11.1. Enclave is designed for safe AI agent code execution — the e
enclave-vm JavaScript sandbox (before 2.7.0) has a critical sandbox escape. When a tool invocation fails, a host-side Er
A remote code execution vulnerability in langchain-ai/langchain (CVSS 10.0). Risk factors: public PoC available. Vendor
n8n has a fifth critical RCE vulnerability (CVSS 9.9) in the Expression evaluator, enabling code execution through craft
Path traversal vulnerability in RAGFlow RAG engine version 0.23.1 allows unauthenticated attackers to read arbitrary fil
WeKnora LLM framework (before 0.2.5) allows authenticated users to inject MCP stdio commands that the server executes as
OS command injection in WeKnora from version 0.2.5 allows authenticated users to execute arbitrary system commands. CVSS
Shell command injection in Nuclio serverless framework before 1.15.20. PoC and patch available.
Same weakness CWE-276 – Incorrect Default Permissions
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-7853-gqqm-vcwx