OpenClaw Side-Channel: The safeBins File Existence Oracle
Vulnerability ID: GHSA-6C9J-X93C-RW6J
CVSS Score: 4.3
Published: 2026-02-19
A logic flaw in the OpenClaw AI agent framework's command validation layer created a boolean side-channel, allowing attackers to probe the host filesystem. By attempting to prevent agents from accessing sensitive files via 'safe' binaries, the validation logic inadvertently revealed the existence of those files through error message discrepancies.
TL;DR
OpenClaw tried to stop AI agents from reading sensitive files by checking if files existed before running commands. Ironically, this check created a side-channel: if the system blocked the command, the attacker knew the file existed. If it didn't, the file was missing.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-203
- Attack Vector: Network (Agent Session)
- CVSS: 4.3 (Medium)
- Risk: Filesystem Enumeration
- Impact: Information Disclosure
- Exploit Status: PoC Available
Affected Systems
- OpenClaw Framework (npm package
openclaw) - AI Agents utilizing the
safeBinsexecution tool -
openclaw: <= 2026.2.17 (Fixed in:
2026.2.19)
Code Analysis
Commit: bafdbb6
fix: remove fs.exists check from safeBins validation
--- a/src/infra/exec-approvals-allowlist.ts
+++ b/src/infra/exec-approvals-allowlist.ts
- function defaultFileExists(filePath: string): boolean {
- try {
- return fs.existsSync(filePath);
...
Exploit Details
- Researcher Analysis: Manual reconstruction of the boolean oracle based on patch diff.
Mitigation Strategies
- Update OpenClaw to version 2026.2.19 immediately.
- Implement strict argument parsing that does not rely on OS system calls.
- Audit other
safeBinimplementations for similar side-channels.
Remediation Steps:
- Modify
package.jsonto require"openclaw": "^2026.2.19". - Run
npm installoryarn installto apply the update. - Restart the agent service.
References
Read the full report for GHSA-6C9J-X93C-RW6J on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)