busybox and toybox applet execution weakened exec approval binding.
openclaw>= 2026.2.23 < 2026.4.12>= 2026.4.12Opaque multi-call binaries such as busybox and toybox could obscure which applet or script-like behavior would actually run, weakening exec approval binding and risk classification.
The fix treats busybox and toybox as opaque mutable script runners and fails closed rather than binding unsafe applet invocations.
The issue was fixed in #65713. The first stable tag containing the fix is v2026.4.12, and [email protected] includes the fix.
666f48d9b882a8a1415ca53f9567c72499d850c9Users should upgrade to openclaw 2026.4.12 or newer. The latest npm release, 2026.4.14, already includes the fix.
Thanks to @decsecre583 for reporting this issue.
| Score | Percentile |
|---|---|
| 0.05% | 16.62% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 8.8 | 3.1 | — |
|
| 8.6 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-2cq5-mf3v-mx44 ↗ |
| CVE | CVE-2026-43530 ↗ |
| CWE id | Name |
|---|---|
| CWE-863 | Incorrect Authorization |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| npm | openclaw | >= 2026.2.23, < 2026.4.12 | 2026.4.12 | — |