CVE-2026-55249 Overview
CVE-2026-55249 is a command injection vulnerability [CWE-78] in the @rtk-ai/rtk-rewrite OpenClaw plugin version 1.0.0. The plugin transparently rewrites shell commands executed through OpenClaw's exec tool into their RTK equivalents. It passes attacker-controlled input into a shell-backed execSync() template string without shell-safe escaping. An attacker who influences the exec tool's command parameter — for example through a large language model (LLM) agent prompt or gateway tool-call input — gains arbitrary operating system command execution with the privileges of the plugin or gateway process.
Critical Impact
Attackers controlling the exec tool input can execute arbitrary OS commands in the context of the plugin or gateway process via $() shell substitution.
Affected Products
- @rtk-ai/rtk-rewrite version 1.0.0
- OpenClaw exec tool integrations using the affected plugin
- LLM agent gateways routing tool calls through @rtk-ai/rtk-rewrite
Discovery Timeline
- 2026-06-23 - CVE-2026-55249 published to the National Vulnerability Database (NVD)
- 2026-06-23 - Last updated in NVD database
Technical Details for CVE-2026-55249
Vulnerability Analysis
The @rtk-ai/rtk-rewrite plugin intercepts shell commands directed at OpenClaw's exec tool and rewrites them to invoke rtk. To perform this rewrite, the plugin builds a command string using a JavaScript template literal and executes it through Node.js execSync(). Because execSync delegates execution to /bin/sh -c, the shell parses and expands metacharacters in the constructed string before the rewritten rtk command runs.
The attacker-controlled command parameter is serialized with JSON.stringify(). This wraps the value in double quotes and escapes inner double quotes and backslashes, but it does not neutralize $() command substitution or backtick substitution. The shell still expands these constructs inside double-quoted strings. An injected $(...) payload therefore executes as a subcommand before the rewrite logic is invoked.
Root Cause
The root cause is reliance on JSON.stringify() as a sanitization mechanism for shell-bound input. JSON quoting is not shell quoting. Single-quoted shell strings are the only quoting context that suppresses $() and backtick expansion in POSIX shells, and the plugin uses double quotes. Combined with execSync() invoking /bin/sh -c, this design allows injected metacharacters to reach the shell parser.
Attack Vector
An attacker supplies a crafted value to the exec tool's command parameter, typically through an LLM agent prompt, a chained tool call, or an upstream gateway request. The malicious input includes a $(...) or backtick substitution containing arbitrary commands. When the plugin builds the rewrite string and hands it to execSync(), /bin/sh -c evaluates the substitution and runs the attacker's commands with the privileges of the plugin or gateway process. The vulnerability requires low-privileged authentication and user interaction, consistent with the agent-mediated invocation path. Refer to the GitHub Security Advisory GHSA-fqgj-m2gp-mr3q for additional technical detail.
Detection Methods for CVE-2026-55249
Indicators of Compromise
- Process telemetry showing the plugin or gateway process spawning /bin/sh -c with command lines containing $( or backtick substrings inside JSON-quoted values.
- Unexpected child processes such as curl, wget, nc, bash, or python parented to the Node.js process hosting @rtk-ai/rtk-rewrite.
- Outbound network connections initiated from the plugin host immediately after exec tool invocations.
Detection Strategies
- Inspect LLM tool-call logs and gateway request bodies for $(, `, ;, &&, or | characters in the command parameter passed to the exec tool.
- Correlate execSync invocations with subsequent process trees that deviate from expected rtk subcommands.
- Apply CWE-78 detection rules that flag shell metacharacters reaching /bin/sh -c from Node.js child-process APIs.
Monitoring Recommendations
- Enable process-level auditing on hosts running OpenClaw and the @rtk-ai/rtk-rewrite plugin, capturing parent-child relationships and full command lines.
- Forward LLM agent and tool-call gateway logs to a centralized analytics platform and alert on suspicious shell metacharacters.
- Baseline expected rtk invocations and alert on deviations such as inline shell substitutions or non-rtk binaries spawned by the plugin process.
How to Mitigate CVE-2026-55249
Immediate Actions Required
- Restrict or disable the @rtk-ai/rtk-rewrite plugin in OpenClaw deployments until a fixed release is applied.
- Validate and reject any command parameter values containing $(, `, ;, |, &, or newline characters at the gateway boundary.
- Run the plugin or gateway process under a least-privileged service account isolated from sensitive data and credentials.
Patch Information
No fixed version is listed in the NVD entry at publication. Consult the GitHub Security Advisory GHSA-fqgj-m2gp-mr3q for the latest remediation guidance and upgrade instructions from the rtk-ai/rtk maintainers.
Workarounds
- Replace execSync() with execFileSync() or spawn() using an argument array, eliminating shell interpretation entirely.
- If shell invocation is required, single-quote attacker-controlled values and escape embedded single quotes rather than relying on JSON.stringify().
- Enforce an allowlist of permitted commands and arguments at the OpenClaw exec tool layer before the plugin receives input.
- Sandbox the plugin process with seccomp, AppArmor, or containerized execution to limit the blast radius of successful injection.
# Configuration example: gateway-level input validation
if echo "$COMMAND" | grep -Eq '\$\(|`|;|&&|\|\||\n'; then
echo "Rejected: shell metacharacters detected" >&2
exit 1
fi
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

