CVE-2026-35570
Path Traversal Bypass in OpenClaude BashTool Permissions
Publication date: 2026-04-21
Last updated on: 2026-04-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gitlawb | openclaude | to 0.5.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-35570 is a logic flaw in the OpenClaude open-source coding-agent's bashToolHasPermission() function. When the sandbox auto-allow feature is enabled and no explicit deny rules exist, the function incorrectly returns an allow result immediately without checking path constraints. This means commands containing path traversal sequences (like ../../../../../etc/passwd) can bypass directory restrictions and sandbox isolation.
The vulnerability allows unauthorized commands to access files outside the intended restricted directories because the critical path constraint filter is skipped. This flaw exists in versions prior to 0.5.1 and was fixed by ensuring path constraints are always enforced even when sandbox auto-allow is active.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized reading and writing of arbitrary files outside the sandbox environment, including sensitive system files such as /etc/passwd, /etc/shadow, environment configuration files (.env), and SSH keys.
An attacker with low privileges and local access can exploit this flaw without user interaction, potentially leading to privilege escalation or data leakage by bypassing filesystem isolation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to execute Bash commands containing path traversal sequences (e.g., accessing ../../../../../etc/passwd) in an environment where sandbox mode and auto-allow for Bash commands are enabled.
A practical detection approach involves simulating or checking the behavior of the function bashToolHasPermission() when sandbox auto-allow is active and no explicit deny rules are configured.
- Enable sandbox mode: ensure SandboxManager.isSandboxingEnabled() returns true.
- Enable auto-allow for Bash commands: ensure SandboxManager.isAutoAllowBashIfSandboxedEnabled() returns true.
- Submit a Bash command with a path traversal payload, for example: cat ../../../../../etc/passwd
If the command is allowed without triggering path constraint checks, the system is vulnerable.
In testing environments, overriding sandbox manager methods to simulate these conditions and running such commands can confirm the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade OpenClaude to version 0.5.1 or later, where the vulnerability is patched.
The patch enforces Bash path constraints even when sandbox auto-allow is active, preventing commands with path traversal sequences from bypassing directory restrictions.
- Apply the fix that modifies bashToolHasPermission() to only return early on 'deny' or 'ask' results, ensuring path constraints are always checked.
- If upgrading immediately is not possible, consider disabling sandbox auto-allow for Bash commands or configuring explicit deny rules to block suspicious commands.
Additionally, review and restrict local user permissions to limit the ability to exploit this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized access to sensitive files outside the intended sandbox environment by bypassing directory restrictions through path traversal sequences.
Such unauthorized access and potential exposure of sensitive data can lead to violations of data protection regulations and standards like GDPR and HIPAA, which mandate strict controls over access to personal and sensitive information.
Because the flaw permits reading and writing of arbitrary files (e.g., /etc/passwd, /etc/shadow, SSH keys) without proper access control, it increases the risk of data breaches and unauthorized data disclosure, undermining compliance with these regulations.