CVE-2026-35570 Overview
CVE-2026-35570 is a path traversal vulnerability affecting OpenClaude, an open-source coding-agent command line interface for cloud and local model providers. The vulnerability stems from a logic flaw in the bashToolHasPermission() function within src/tools/BashTool/bashPermissions.ts. When the sandbox auto-allow feature is active and no explicit deny rule is configured, the function returns an allow result immediately—before the path constraint filter (checkPathConstraints) is ever evaluated. This allows commands containing path traversal sequences (e.g., ../../../../../etc/passwd) to bypass directory restrictions entirely.
Critical Impact
Attackers can bypass sandbox directory restrictions to access arbitrary files on the system, potentially exposing sensitive configuration files, credentials, and system data through path traversal attacks.
Affected Products
- Gitlawb OpenClaude versions prior to 0.5.1
Discovery Timeline
- 2026-04-21 - CVE CVE-2026-35570 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-35570
Vulnerability Analysis
This vulnerability represents a classic case of improper order of security checks, classified under CWE-22 (Path Traversal). The fundamental flaw lies in the permission evaluation logic within the bash tool component of OpenClaude.
The bashToolHasPermission() function is designed to enforce directory-based access controls when executing bash commands through the coding agent. However, when the sandbox auto-allow mode is enabled—a convenience feature likely intended for trusted development environments—the function short-circuits its security evaluation. The auto-allow check occurs before the checkPathConstraints function can validate that the requested command stays within permitted directory boundaries.
This architectural oversight means that path traversal sequences embedded in commands are never sanitized or blocked when auto-allow is active. An attacker or malicious prompt could craft commands using relative path sequences like ../../ to escape the intended sandbox directory and access files anywhere on the filesystem that the OpenClaude process has read permissions for.
The vulnerability requires local access and low privileges to exploit, but can result in a changed scope impact—meaning the compromise can extend beyond the vulnerable component itself to affect other system resources.
Root Cause
The root cause is a logic ordering flaw in the permission checking flow. The bashToolHasPermission() function evaluates the sandbox auto-allow condition and returns early with an allow result before the checkPathConstraints function has an opportunity to validate directory boundaries. This violates the principle that all security checks should be evaluated regardless of convenience features, and that path validation should occur as early as possible in any file or command processing pipeline.
Attack Vector
The attack vector is local, requiring the attacker to have access to the OpenClaude CLI environment. Exploitation involves crafting bash commands with path traversal sequences that the coding agent would execute. When the sandbox auto-allow feature is enabled (which may be a common configuration for development use), these commands bypass the intended directory restrictions.
For example, an attacker could leverage the coding agent to execute commands like cat ../../../../../etc/passwd or access other sensitive files outside the designated sandbox directory. The vulnerability allows both confidentiality and integrity impacts, as files could be read and potentially written depending on the specific commands executed.
Detection Methods for CVE-2026-35570
Indicators of Compromise
- Bash commands executed through OpenClaude containing ../ path traversal sequences
- Access to files outside the configured sandbox directory boundaries
- Unexpected file read or write operations targeting system configuration files like /etc/passwd, /etc/shadow, or application configuration files
- Audit logs showing OpenClaude processes accessing files in parent directories of the sandbox root
Detection Strategies
- Monitor command execution logs for path traversal patterns (../, ..\\, or URL-encoded variants like %2e%2e%2f)
- Implement file integrity monitoring on sensitive system files and directories
- Review OpenClaude configuration to identify instances where sandbox auto-allow is enabled
- Deploy endpoint detection rules to flag unusual file access patterns from OpenClaude processes
Monitoring Recommendations
- Enable verbose logging for OpenClaude command execution to capture full command strings
- Configure file access auditing on sensitive directories to detect unauthorized access attempts
- Set up alerts for any OpenClaude process accessing files outside designated workspace directories
- Periodically audit OpenClaude configurations across development environments to ensure auto-allow is disabled in production or sensitive contexts
How to Mitigate CVE-2026-35570
Immediate Actions Required
- Upgrade OpenClaude to version 0.5.1 or later immediately
- Disable the sandbox auto-allow feature until the patch is applied
- Review recent command execution logs for evidence of path traversal exploitation
- Audit any files that may have been accessed or modified through this vulnerability
Patch Information
The vulnerability has been addressed in OpenClaude version 0.5.1. The fix is available in commit 7002cb302b78ea2a19da3f26226de24e2903fa1d. Organizations should update to the patched version as soon as possible. For detailed information about the vulnerability and patch, refer to the GitHub Security Advisory GHSA-m6rx-7pvw-2f73 and the GitHub Commit Change.
Workarounds
- Disable the sandbox auto-allow feature in OpenClaude configuration to ensure path constraints are always evaluated
- Implement explicit deny rules for sensitive system paths to provide defense-in-depth
- Run OpenClaude with minimal filesystem permissions using a restricted user account
- Use containerization or chroot environments to provide an additional layer of filesystem isolation
# Example: Disable auto-allow in OpenClaude configuration
# Edit your openclaude configuration file
openclaude config set sandbox.autoAllow false
# Verify the setting is disabled
openclaude config get sandbox.autoAllow
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
