{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35570", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-03T20:09:02.826Z", "datePublished": "2026-04-20T23:24:08.324Z", "dateUpdated": "2026-04-21T19:49:30.148Z"}, "containers": {"cna": {"title": "OpenClaude has Sandbox Bypass via Early-Exit Logic Flaw that Allows Path Traversal", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Gitlawb/openclaude/security/advisories/GHSA-m6rx-7pvw-2f73", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Gitlawb/openclaude/security/advisories/GHSA-m6rx-7pvw-2f73"}, {"name": "https://github.com/Gitlawb/openclaude/commit/7002cb302b78ea2a19da3f26226de24e2903fa1d", "tags": ["x_refsource_MISC"], "url": "https://github.com/Gitlawb/openclaude/commit/7002cb302b78ea2a19da3f26226de24e2903fa1d"}], "affected": [{"vendor": "Gitlawb", "product": "openclaude", "versions": [{"version": "< 0.5.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-20T23:24:08.324Z"}, "descriptions": [{"lang": "en", "value": "OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Versions prior to 0.5.1 have a logic flaw in `bashToolHasPermission()` inside `src/tools/BashTool/bashPermissions.ts`. When the sandbox auto-allow feature is active and no explicit deny rule is configured, the function returns an `allow` result immediately \u2014 before the path constraint filter (`checkPathConstraints`) is ever evaluated. This allows commands containing path traversal sequences (e.g., `../../../../../etc/passwd`) to bypass directory restrictions entirely. Version 0.5.1 contains a patch for the issue."}], "source": {"advisory": "GHSA-m6rx-7pvw-2f73", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/Gitlawb/openclaude/security/advisories/GHSA-m6rx-7pvw-2f73", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T16:01:46.877935Z", "id": "CVE-2026-35570", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:49:30.148Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35570", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-21T16:01:46.877935Z"}}}], "references": [{"url": "https://github.com/Gitlawb/openclaude/security/advisories/GHSA-m6rx-7pvw-2f73", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T16:02:02.535Z"}}], "cna": {"title": "OpenClaude has Sandbox Bypass via Early-Exit Logic Flaw that Allows Path Traversal", "source": {"advisory": "GHSA-m6rx-7pvw-2f73", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.4, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Gitlawb", "product": "openclaude", "versions": [{"status": "affected", "version": "< 0.5.1"}]}], "references": [{"url": "https://github.com/Gitlawb/openclaude/security/advisories/GHSA-m6rx-7pvw-2f73", "name": "https://github.com/Gitlawb/openclaude/security/advisories/GHSA-m6rx-7pvw-2f73", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Gitlawb/openclaude/commit/7002cb302b78ea2a19da3f26226de24e2903fa1d", "name": "https://github.com/Gitlawb/openclaude/commit/7002cb302b78ea2a19da3f26226de24e2903fa1d", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Versions prior to 0.5.1 have a logic flaw in `bashToolHasPermission()` inside `src/tools/BashTool/bashPermissions.ts`. When the sandbox auto-allow feature is active and no explicit deny rule is configured, the function returns an `allow` result immediately \u2014 before the path constraint filter (`checkPathConstraints`) is ever evaluated. This allows commands containing path traversal sequences (e.g., `../../../../../etc/passwd`) to bypass directory restrictions entirely. Version 0.5.1 contains a patch for the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-20T23:24:08.324Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35570", "state": "PUBLISHED", "dateUpdated": "2026-04-21T19:49:30.148Z", "dateReserved": "2026-04-03T20:09:02.826Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-20T23:24:08.324Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gitlawb:openclaude:*:*:*:*:*:*:*:*", "matchCriteriaId": "F2107920-62CC-4630-84F0-724AB1B17015", "versionEndExcluding": "0.5.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Versions prior to 0.5.1 have a logic flaw in `bashToolHasPermission()` inside `src/tools/BashTool/bashPermissions.ts`. When the sandbox auto-allow feature is active and no explicit deny rule is configured, the function returns an `allow` result immediately \u2014 before the path constraint filter (`checkPathConstraints`) is ever evaluated. This allows commands containing path traversal sequences (e.g., `../../../../../etc/passwd`) to bypass directory restrictions entirely. Version 0.5.1 contains a patch for the issue."}], "id": "CVE-2026-35570", "lastModified": "2026-04-23T18:37:09.777", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.0, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T00:16:28.877", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/Gitlawb/openclaude/commit/7002cb302b78ea2a19da3f26226de24e2903fa1d"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/Gitlawb/openclaude/security/advisories/GHSA-m6rx-7pvw-2f73"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/Gitlawb/openclaude/security/advisories/GHSA-m6rx-7pvw-2f73"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-284"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.5.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "openclaude", "source": "cna", "vendor": "Gitlawb"}, "product": "openclaude", "vendor": "gitlawb"}], "analysis": {"en": {"generated_at": "2026-04-21T23:15:08.979616+00:00", "value": {"mitigation_remediation": ["Upgrade OpenClaude to version 0.5.1 or later", "Disable the auto\u2011allow sandbox feature or configure explicit deny rules to enforce path constraints", "Run OpenClaude only with the least privilege required and avoid elevated privileges"], "summary": {"action": "Patch", "impact": "Unauthorized file access via sandbox bypass"}, "threat_synthesis": {"affected_systems": "Gitlawb's OpenClaude prior to version 0.5.1 is affected. The issue surfaces when the sandbox auto\u2011allow feature is enabled without an explicit deny rule. Versions 0.5.1 and later contain a patch that addresses the early\u2011exit logic flaw.", "description_and_impact": "OpenClaude contains a logic flaw in the permission\u2011check function that causes the sandbox to return an allow result immediately when the auto\u2011allow feature is active and no explicit deny rule is set. This early\u2011exit occurs before the path constraint filter runs, allowing commands that include path traversal sequences such as ../../../../../etc/passwd to bypass directory restrictions. As a result, an attacker who controls the command input can access or execute files outside the intended sandbox boundary. The vulnerability is categorized as CWE\u201122 (Path Traversal) and CWE\u2011284 (Improper Access Control).", "risk_and_exploitability": "The CVSS score of 8.4 marks this vulnerability as high severity. The EPSS score is less than 1% and it is not listed in the CISA KEV catalog. Exploitation requires local execution of the OpenClaude CLI with the auto\u2011allow feature enabled and without an explicit deny rule. If the tool is run with elevated privileges or as a service, the impact could extend beyond the current user, potentially affecting the entire system."}}}}, "created": "2026-04-21T23:30:02.866959+00:00", "updated": "2026-04-22T11:47:08.654281+00:00", "vendors": ["gitlawb", "gitlawb$PRODUCT$openclaude"]}