CVE-2026-35570
Published: 21 April 2026
Summary
CVE-2026-35570 is a high-severity Path Traversal (CWE-22) vulnerability in Gitlawb Openclaude. Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 0.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Implements a reference monitor to enforce access control policies without skipping critical checks like path constraints in sandbox permission functions.
Enforces approved authorizations for system resources, directly addressing the logic flaw that bypasses directory restrictions via path traversal.
Validates information inputs such as bash command paths to prevent traversal sequences from bypassing sandbox constraints.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in bash tool permission check allows path traversal payloads in Unix shell commands to bypass sandbox restrictions, directly enabling unauthorized local file/directory access and data collection.
NVD Description
OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Versions prior to 0.5.1 have a logic flaw in `bashToolHasPermission()` inside `src/tools/BashTool/bashPermissions.ts`. When the sandbox auto-allow feature is active and no explicit deny rule is configured,…
more
the function returns an `allow` result immediately — before the path constraint filter (`checkPathConstraints`) is ever evaluated. This allows commands containing path traversal sequences (e.g., `../../../../../etc/passwd`) to bypass directory restrictions entirely. Version 0.5.1 contains a patch for the issue.
Deeper analysisAI
CVE-2026-35570 is a logic flaw in the `bashToolHasPermission()` function within `src/tools/BashTool/bashPermissions.ts` of OpenClaude, an open-source coding-agent command line interface for cloud and local model providers. Affecting versions prior to 0.5.1, the vulnerability (classified under CWE-22 for path traversal and CWE-284 for improper access control) occurs when the sandbox auto-allow feature is enabled without explicit deny rules. In this scenario, the function returns an "allow" result immediately, skipping evaluation of the path constraint filter (`checkPathConstraints`), thereby permitting path traversal sequences like `../../../../../etc/passwd` to bypass directory restrictions entirely. The issue carries a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N).
A local attacker with low privileges can exploit this vulnerability by crafting bash commands that incorporate path traversal payloads. Successful exploitation allows bypassing sandbox directory restrictions, enabling high-impact unauthorized access to sensitive files for reading (high confidentiality impact) and modification (high integrity impact), with no disruption to availability. The low attack complexity and lack of required user interaction, combined with the scope change to high, make it particularly severe in environments relying on OpenClaude's sandboxing for command execution isolation.
The GitHub security advisory (GHSA-m6rx-7pvw-2f73) and corresponding patch commit (7002cb302b78ea2a19da3f26226de24e2903fa1d) confirm that upgrading to OpenClaude version 0.5.1 resolves the issue by ensuring proper sequencing of permission checks, including path constraint evaluation before allowing execution.
Details
- CWE(s)