Compliance Impact

This vulnerability allows arbitrary OS command execution with the privileges of the plugin or gateway process, which poses a high risk to system confidentiality, integrity, and availability.

Such a compromise can lead to unauthorized access to sensitive data or disruption of services, potentially resulting in violations of compliance requirements under standards like GDPR and HIPAA that mandate protection of personal and health information.

Therefore, exploitation of this vulnerability could negatively impact an organization's ability to maintain compliance with these regulations due to the risk of data breaches or system integrity failures.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-55249 is a command injection vulnerability in the @rtk-ai/rtk-rewrite OpenClaw plugin version 1.0.0. The plugin passes attacker-controlled input directly into a shell-backed execSync() template string without proper shell-safe escaping.

Although JSON.stringify() wraps the input in double quotes and escapes inner quotes and backslashes, it does not neutralize shell metacharacters like $() and backticks. Because execSync delegates execution to /bin/sh -c, the shell expands $(...) substitutions even inside double-quoted strings, allowing injected subcommands to execute before the intended rtk command.

An attacker who can influence the command parameter (for example, via an LLM agent prompt or gateway input) can execute arbitrary OS commands with the privileges of the plugin or gateway process.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker to execute arbitrary operating system commands with the privileges of the plugin or gateway process. This can lead to unauthorized actions such as creating or modifying files, accessing sensitive data, or disrupting system operations.

Because the plugin is enabled by default after installation, all users of version 1.0.0 are affected without additional configuration, increasing the risk of exploitation.

The impact includes potential compromise of system confidentiality, integrity, and availability.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the @rtk-ai/rtk-rewrite OpenClaw plugin version 1.0.0 is in use, as it passes attacker-controlled input directly into a shell-backed execSync() call without proper escaping.

One practical way to detect exploitation attempts is to look for unexpected files created by injected commands, such as the example given where an attacker might run a command like `git status $(touch /tmp/poc)` which creates a file `/tmp/poc`.

You can check for such files or suspicious command executions by running commands like:

• ls -l /tmp/poc
• grep -r '\$()' or backticks in logs related to the OpenClaw exec tool usage to identify suspicious command parameters.
• Audit the code or configuration to see if execSync is called with user-controlled input without shell-safe escaping.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to update the plugin code to avoid using execSync with shell interpretation of user input.

Specifically, replace execSync with spawnSync and set the option shell: false, passing the command and its arguments as an array. This prevents the shell from interpreting metacharacters like $() and backticks, thus blocking command injection.

Additionally, review and restrict any inputs that can influence the command parameter, such as LLM agent prompts or gateway/tool-call inputs, to reduce the risk of injection.

If an update or patch is available from the vendor or repository, apply it immediately.

Useful 0 Not Useful 0