CVE-2026-39398: openclaw-claude-bridge: sandbox is not effective - `--allowed-tools ""` does not restrict available tools
- All CLI tools (Read/Write/Bash/WebFetch/…) remain nominally available to the spawned subprocess.
- Actual execution behavior in
--printnon-interactive mode depends on undocumented CLI defaults (may auto-deny, may error out, may hang). - Users who deploy the bridge behind any interface that forwards untrusted prompts (e.g., publicly exposed OpenClaw gateway, automated pipelines with web-fetched context, agents that consume tool results from other systems) may be relying on a sandbox that does not exist.
The README explicitly makes a security claim the code does not uphold, creating a false sense of safety for downstream operators. If the underlying CLI behavior changes in a future version to auto-allow tools in --print mode, prompt-injection attacks could trigger arbitrary Read/Write/Bash operations in the gateway’s process context.
References
- github.com/SeaL773/openclaw-claude-bridge
- github.com/SeaL773/openclaw-claude-bridge/commit/8a296f5
- github.com/SeaL773/openclaw-claude-bridge/releases/tag/v1.1.1
- github.com/SeaL773/openclaw-claude-bridge/security/advisories/GHSA-7853-gqqm-vcwx
- github.com/advisories/GHSA-7853-gqqm-vcwx
- nvd.nist.gov/vuln/detail/CVE-2026-39398
Code Behaviors & Features
Detect and mitigate CVE-2026-39398 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →