CVE-2026-35570
Received Received - Intake
Path Traversal Bypass in OpenClaude BashTool Permissions

Publication date: 2026-04-21

Last updated on: 2026-04-23

Assigner: GitHub, Inc.

Description
OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Versions prior to 0.5.1 have a logic flaw in `bashToolHasPermission()` inside `src/tools/BashTool/bashPermissions.ts`. When the sandbox auto-allow feature is active and no explicit deny rule is configured, the function returns an `allow` result immediately β€” before the path constraint filter (`checkPathConstraints`) is ever evaluated. This allows commands containing path traversal sequences (e.g., `../../../../../etc/passwd`) to bypass directory restrictions entirely. Version 0.5.1 contains a patch for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-04-21
EPSS Evaluated
2026-06-14
NVD
CVE-2026-35570
EUVD
EUVD-2026-23988
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gitlawb openclaude to 0.5.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-35570 is a logic flaw in the OpenClaude open-source coding-agent's bashToolHasPermission() function. When the sandbox auto-allow feature is enabled and no explicit deny rules exist, the function incorrectly returns an allow result immediately without checking path constraints. This means commands containing path traversal sequences (like ../../../../../etc/passwd) can bypass directory restrictions and sandbox isolation.

The vulnerability allows unauthorized commands to access files outside the intended restricted directories because the critical path constraint filter is skipped. This flaw exists in versions prior to 0.5.1 and was fixed by ensuring path constraints are always enforced even when sandbox auto-allow is active.

Impact Analysis

This vulnerability can lead to unauthorized reading and writing of arbitrary files outside the sandbox environment, including sensitive system files such as /etc/passwd, /etc/shadow, environment configuration files (.env), and SSH keys.

An attacker with low privileges and local access can exploit this flaw without user interaction, potentially leading to privilege escalation or data leakage by bypassing filesystem isolation.

Detection Guidance

This vulnerability can be detected by attempting to execute Bash commands containing path traversal sequences (e.g., accessing ../../../../../etc/passwd) in an environment where sandbox mode and auto-allow for Bash commands are enabled.

A practical detection approach involves simulating or checking the behavior of the function bashToolHasPermission() when sandbox auto-allow is active and no explicit deny rules are configured.

  • Enable sandbox mode: ensure SandboxManager.isSandboxingEnabled() returns true.
  • Enable auto-allow for Bash commands: ensure SandboxManager.isAutoAllowBashIfSandboxedEnabled() returns true.
  • Submit a Bash command with a path traversal payload, for example: cat ../../../../../etc/passwd

If the command is allowed without triggering path constraint checks, the system is vulnerable.

In testing environments, overriding sandbox manager methods to simulate these conditions and running such commands can confirm the presence of the vulnerability.

Mitigation Strategies

The immediate mitigation step is to upgrade OpenClaude to version 0.5.1 or later, where the vulnerability is patched.

The patch enforces Bash path constraints even when sandbox auto-allow is active, preventing commands with path traversal sequences from bypassing directory restrictions.

  • Apply the fix that modifies bashToolHasPermission() to only return early on 'deny' or 'ask' results, ensuring path constraints are always checked.
  • If upgrading immediately is not possible, consider disabling sandbox auto-allow for Bash commands or configuring explicit deny rules to block suspicious commands.

Additionally, review and restrict local user permissions to limit the ability to exploit this vulnerability.

Compliance Impact

This vulnerability allows unauthorized access to sensitive files outside the intended sandbox environment by bypassing directory restrictions through path traversal sequences.

Such unauthorized access and potential exposure of sensitive data can lead to violations of data protection regulations and standards like GDPR and HIPAA, which mandate strict controls over access to personal and sensitive information.

Because the flaw permits reading and writing of arbitrary files (e.g., /etc/passwd, /etc/shadow, SSH keys) without proper access control, it increases the risk of data breaches and unauthorized data disclosure, undermining compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35570. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart