CVE-2026-32010

Description

### Summary This issue applies to a **non-default configuration** only. If `sort` is manually added to `tools.exec.safeBins`, OpenClaw could treat `sort --compress-program=<prog>` as valid safe-bin usage. In `security=allowlist` + `ask=on-miss`, this could satisfy allowlist checks and skip operator approval, while GNU `sort` may invoke an external program via `--compress-program`. ### Affected Packages / Versions - Ecosystem: npm - Package: `openclaw` - Affected: `<= 2026.2.21-2` - Patched (planned next release): `>= 2026.2.22` ### Default Installations Default installs are not impacted by this specific path because `sort` is not included in default `tools.exec.safeBins`. ### Impact - Type: approval/allowlist bypass in optional safe-bin configuration - Scope: deployments that explicitly include `sort` in `tools.exec.safeBins` and use `allowlist + ask=on-miss` - Consequence: an external program may run under the OpenClaw process context without expected approval ### Technical Details - `sort` safe-bin profile allowed `--compress-program` as a value flag. - Safe-bin satisfaction could therefore mark allowlist checks as satisfied. - In `ask=on-miss`, satisfied allowlist checks skip approval prompts. ### Fix - Block `--compress-program` in safe-bin sort policy. - Add unit and e2e regression coverage for `sort --compress-program` denial in safe-bin mode. ### Fix Commit(s) - `57fbbaebca4d34d17549accf6092ae26eb7b605c` OpenClaw thanks @tdjackey for reporting.

How to fix CVE-2026-32010

To remediate CVE-2026-32010, upgrade the affected package to a fixed version below.

• —upgrade to 2026.2.22 or later

Is CVE-2026-32010 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 2026.2.22