FoundDream miniclawd exec.ts ExecTool.execute os command injection

Vulnerability

CVE-2026-9452 is an OS command injection vulnerability in FoundDream miniclawd, a lightweight TypeScript-based AI assistant. The flaw resides in the ExecTool.execute function in /src/tools/exec.ts (lines 47–51). The vulnerable code uses Node.js spawn() with shell: true, which passes the entire params.command string directly to /bin/sh for parsing with no input validation. Affected versions include all commits up to 2d65665046e2222eeea76cafc8570ed546a8c125; the project does not use versioning [1][2].

Exploitation

An attacker can launch the attack remotely by sending a crafted message to the AI agent (e.g., via Telegram, Feishu, or CLI). The AI constructs an exec_tool call with a command containing shell metacharacters. For example, an attacker sends: "Run ls; cat /etc/passwd to check system". The AI then executes exec_tool({ command: "ls; cat /etc/passwd" }). Due to shell: true, the shell parses ; as a command separator and executes both commands: /bin/sh -c "ls; cat /etc/passwd". All shell operators (;, |, &, &&, ||, $(), backticks, newlines) work as intended [2].

Impact

Successful exploitation allows an attacker to execute arbitrary OS commands on the server running miniclawd. This can lead to full compromise of the system, including reading sensitive files (e.g., /etc/passwd), modifying data, or leveraging the host for further attacks. The impact is high in terms of confidentiality, integrity, and availability [2].

Mitigation

As of the publication date (2026-05-25), no official fix has been released by the project maintainers. The project was informed via an issue report but has not responded [2]. Users should consider disabling the ExecTool or modifying the code to remove shell: true and validate/sanitize all command input. If the software is used in an untrusted environment, isolate it from sensitive systems until a patch is available. The project does not use versioning, so manual code review and patching are required [1][2].