VYPR
← All advisories
High severity8.4NVD Advisory· Published Apr 21, 2026· Updated Apr 23, 2026

CVE-2026-35570

CVE-2026-35570

Description

OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Versions prior to 0.5.1 have a logic flaw in bashToolHasPermission() inside src/tools/BashTool/bashPermissions.ts. When the sandbox auto-allow feature is active and no explicit deny rule is configured, the function returns an allow result immediately — before the path constraint filter (checkPathConstraints) is ever evaluated. This allows commands containing path traversal sequences (e.g., ../../../../../etc/passwd) to bypass directory restrictions entirely. Version 0.5.1 contains a patch for the issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@gitlawb/openclaudenpm
< 0.5.10.5.1

Affected products

1

Patches

1
7002cb302b78

fix: enforce Bash path constraints after sandbox allow (#777)

https://github.com/Gitlawb/openclaudeKevin CodexApr 20, 2026via ghsa
commit
2 files changed · +63 1
  • src/tools/BashTool/bashPermissions.test.ts+59 0 added
    @@ -0,0 +1,59 @@
+import { afterEach, expect, test } from 'bun:test'
+
+import { getEmptyToolPermissionContext } from '../../Tool.js'
+import { SandboxManager } from '../../utils/sandbox/sandbox-adapter.js'
+import { bashToolHasPermission } from './bashPermissions.js'
+
+const originalSandboxMethods = {
+  isSandboxingEnabled: SandboxManager.isSandboxingEnabled,
+  isAutoAllowBashIfSandboxedEnabled:
+    SandboxManager.isAutoAllowBashIfSandboxedEnabled,
+  areUnsandboxedCommandsAllowed: SandboxManager.areUnsandboxedCommandsAllowed,
+  getExcludedCommands: SandboxManager.getExcludedCommands,
+}
+
+afterEach(() => {
+  SandboxManager.isSandboxingEnabled =
+    originalSandboxMethods.isSandboxingEnabled
+  SandboxManager.isAutoAllowBashIfSandboxedEnabled =
+    originalSandboxMethods.isAutoAllowBashIfSandboxedEnabled
+  SandboxManager.areUnsandboxedCommandsAllowed =
+    originalSandboxMethods.areUnsandboxedCommandsAllowed
+  SandboxManager.getExcludedCommands = originalSandboxMethods.getExcludedCommands
+})
+
+function makeToolUseContext() {
+  const toolPermissionContext = getEmptyToolPermissionContext()
+
+  return {
+    abortController: new AbortController(),
+    options: {
+      isNonInteractiveSession: false,
+    },
+    getAppState() {
+      return {
+        toolPermissionContext,
+      }
+    },
+  } as never
+}
+
+test('sandbox auto-allow still enforces Bash path constraints', async () => {
+  ;(globalThis as unknown as { MACRO: { VERSION: string } }).MACRO = {
+    VERSION: 'test',
+  }
+
+  SandboxManager.isSandboxingEnabled = () => true
+  SandboxManager.isAutoAllowBashIfSandboxedEnabled = () => true
+  SandboxManager.areUnsandboxedCommandsAllowed = () => true
+  SandboxManager.getExcludedCommands = () => []
+
+  const result = await bashToolHasPermission(
+    { command: 'cat ../../../../../etc/passwd' },
+    makeToolUseContext(),
+  )
+
+  expect(result.behavior).toBe('ask')
+  expect(result.message).toContain('was blocked')
+  expect(result.message).toContain('/etc/passwd')
+})
  • src/tools/BashTool/bashPermissions.ts+4 1 modified
    @@ -1814,7 +1814,10 @@ export async function bashToolHasPermission(
       input,
       appState.toolPermissionContext,
     )
-    if (sandboxAutoAllowResult.behavior !== 'passthrough') {
+    if (
+      sandboxAutoAllowResult.behavior === 'deny' ||
+      sandboxAutoAllowResult.behavior === 'ask'
+    ) {
       return sandboxAutoAllowResult
     }
   }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.