VYPR
← All advisories
Medium severity6.3NVD Advisory· Published May 26, 2026

CVE-2026-9565

CVE-2026-9565

Description

A vulnerability was determined in haojing8312 WorkClaw up to 0.6.4. This affects the function is_dangerous of the file apps/runtime/src-tauri/src/agent/tools/bash.rs of the component Blacklist Handler. Executing a manipulation can lead to os command injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

WorkClaw ≤0.6.4 contains an OS command injection vulnerability via incomplete blacklist in is_dangerous function, allowing remote attackers to execute arbitrary commands.

Vulnerability

The vulnerability resides in the is_dangerous function in apps/runtime/src-tauri/src/agent/tools/bash.rs of WorkClaw versions up to and including 0.6.4 [1]. The function implements a blacklist-based filter intended to block dangerous commands, but it suffers from critical design flaws (CWE-184, CWE-183) as detailed in issue [#4][2]. The blacklist is incomplete and relies on naive substring matching, allowing bypass via multiple spaces, absolute paths, line breaks, quoted parameters, and omitted dangerous commands [2].

Exploitation

An attacker can remotely send crafted commands that bypass the is_dangerous check. The issue [#4] provides a proof of concept demonstrating bypasses using multiple spaces (rm -rf /), absolute paths (/bin/rm -rf /), line breaks, escaped characters, and commands not in the blacklist (rm -fr /, kill -9 1, mkfs ext4 /dev/sda) [2]. No authentication is required; the attack is executed remotely through the WorkClaw tool interface.

Impact

Successful exploitation leads to OS command injection, allowing the attacker to execute arbitrary commands with the privileges of the WorkClaw process. This can result in full system compromise, data destruction, or denial of service. The privilege level is the same as the user running WorkClaw, potentially leading to confidentiality, integrity, and availability impacts.

Mitigation

As of the latest available information, the project maintainer has not responded to the issue report, and no patch has been released [2]. Users should consider discontinuing use of WorkClaw versions ≤0.6.4 until a fix is provided. No workaround is known. The vulnerability is not listed in CISA KEV at this time.

References
  1. GitHub - haojing8312/WorkClaw
  2. [Bug]: Inadequate Dangerous Command Detection Leads to Complete Bypass (CWE-184, CWE-183)

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Incomplete blacklist-based command filtering with naive substring matching fails to detect malicious command variants."

Attack vector

An attacker with low-privilege remote access to WorkClaw can supply a crafted command string to the is_dangerous function in apps/runtime/src-tauri/src/agent/tools/bash.rs [ref_id=1]. The function uses a hardcoded blacklist with single-space matching and no shell syntax parsing, so an attacker can bypass detection using multiple spaces, tabs, absolute paths, line breaks, quoted parameters, or dangerous commands not in the blacklist (e.g., rm -fr /, kill -9 1) [ref_id=1]. Because the function returns false for these inputs, the command is executed without restriction, leading to OS command injection [CWE-184, CWE-183].

Affected code

The vulnerable function is is_dangerous (later pub(crate) fn is_dangerous) in apps/runtime/src-tauri/src/agent/tools/bash.rs [ref_id=1]. The function was present from v0.1.0 through v0.6.4.

What the fix does

No patch has been published. The project was informed via an issue report but has not responded [ref_id=1]. The advisory recommends replacing the naive blacklist approach with proper command validation, such as parsing command boundaries, detecting absolute paths, handling multi-space/tab separators, and using a whitelist of allowed commands rather than a blacklist [ref_id=1].

Preconditions

  • authAttacker must have low-privilege remote access to the WorkClaw application
  • configThe application must be running a vulnerable version (0.1.0 through 0.6.4)
  • inputAttacker must be able to supply a command string to the is_dangerous function

Reproduction

The following commands bypass the is_dangerous blacklist and return false, allowing execution [ref_id=1]:

- Multiple spaces: `rm -rf /` - Tabs: `rm\t-rf\t/` - Absolute path: `/bin/rm -rf /` - Line breaks: `rm\n-rf\n/` - Quoted parameters: `rm "-rf" /` - Unlisted dangerous commands: `rm -fr /`, `kill -9 1`, `mkfs ext4 /dev/sda`

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.