CVE-2026-10219
Description
GoClaw ≤3.11.3 allows remote OS command injection via unsanitized file paths in the write_file tool, enabling root-level compromise.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GoClaw ≤3.11.3 allows remote OS command injection via unsanitized file paths in the write_file tool, enabling root-level compromise.
Vulnerability
A vulnerability exists in nextlevelbuilder GoClaw up to version 3.11.3, specifically in the FsBridge.WriteFile function within internal/sandbox/fsbridge.go. The write_file tool, invoked by the LLM, constructs a shell command using sh -c with Go's %q format verb to embed a user-controlled file path. Go's %q does not escape Bash metacharacters such as $(), backticks, or semicolons, allowing command injection when the path is interpreted by the shell [1][2][3]. The bug is tracked as issue #1121 and is classified as CWE-78 with a CVSS 9.8 (Critical) [2][3].
Exploitation
An attacker must be able to influence the file path argument to the write_file tool, which can be achieved remotely by crafting a malicious prompt that causes the LLM to output a path containing shell metacharacters (e.g., notes/$(touch /tmp/pwned).txt). No authentication is required if the sandbox mode is enabled (GOCLAW_SANDBOX_MODE=all) and the instance accepts unauthenticated client requests [2][3]. The attacker does not need prior access; any user of the AI agent platform can submit such prompts [3]. The resulting command executed inside the sandbox container, as root, is, for example: sh -c 'cat > "/workspace/notes/$(touch /tmp/pwned).txt"' — the shell evaluates the command substitution before the file write occurs [2].
Impact
Successful exploitation allows arbitrary OS command execution as the root user inside the sandbox container. This leads to full compromise of confidentiality, integrity, and availability of the sandbox and potentially the host, depending on container isolation. The attacker can read, modify, or delete any data accessible to the container, and potentially escape to the host if additional misconfigurations exist [1][2][3].
Mitigation
A fix has been proposed in pull request #1155, which removes the sh -c invocation entirely and writes files using tee with the filename passed as a discrete argv entry, eliminating shell interpretation [2]. As of the publication date (2026-06-01), the pull request awaits acceptance and has not yet been merged into a release [1][2]. No official patched version is available; users are advised to disable sandbox mode (GOCLAW_SANDBOX_MODE=none) or restrict access to the platform until a fix is released [2][3].
- GitHub - nextlevelbuilder/goclaw: GoClaw - GoClaw is OpenClaw rebuilt in Go — with multi-tenant isolation, 5-layer security, and native concurrency. Deploy AI agent teams at scale without compromising on safety.
- fix(sandbox): avoid shell in FsBridge writes by evgyur · Pull Request #1155 · nextlevelbuilder/goclaw
- [Security] Arbitrary Command Execution inside Sandbox via FsBridge Command Injection
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=3.11.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing shell-metacharacter sanitization in filename passed to `sh -c` allows OS command injection."
Attack vector
An attacker can supply a filename containing Bash metacharacters such as `$(...)` or backticks. Because the filename is passed to `sh -c`, the shell evaluates these command substitutions before `cat` runs. For example, a path like `notes/$(touch /tmp/pwned).txt` results in `sh -c 'cat > "/workspace/notes/$(touch /tmp/pwned).txt"'`, causing arbitrary command execution as root inside the sandbox container [ref_id=2]. The attack is remotely exploitable with no authentication required (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Affected code
The vulnerable code is in `internal/sandbox/fsbridge.go` at lines 68–72, specifically the `FsBridge.WriteFile` function. It constructed a shell command via `b.dockerExec(ctx, []byte(content), "sh", "-c", fmt.Sprintf("cat %s %q", redir, resolved))`, passing the filename through Go's `%q` format verb which does not neutralize Bash metacharacters [ref_id=2].
What the fix does
The fix removes the `sh -c` write path entirely and instead writes content via `tee`, passing the filename as a discrete `argv` entry: `args := []string{"tee"}; args = append(args, "--", resolved)`. This eliminates the shell interpretation layer — `tee` receives the filename as a direct argument, never passing through shell evaluation, so all shell metacharacters are treated as literal filename characters [ref_id=2]. The pull request (PR #1155) awaits acceptance [ref_id=1].
Preconditions
- inputThe attacker must be able to supply a filename to the write_file tool (e.g., via an agent prompt or API call).
- authNo authentication is required (CVSS PR:N).
- networkThe attack is carried out remotely over the network.
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.