Skip to content

Command injection in /debug/cli endpoint #299

Open
Open
Command injection in /debug/cli endpoint#299
@jbbjbb

Description

@jbbjbb
jbbjbb
opened on Feb 27, 2026

Summary

The /debug/cli endpoint in src/routes/debug.ts (lines 131-134) passes the user-supplied cmd query parameter directly to sandbox.startProcess() without sanitization.

const cmd = c.req.query('cmd') || 'openclaw --version';
const result = await sandbox.startProcess(cmd);

While this endpoint is behind authentication middleware, any authenticated user can execute arbitrary commands inside the container.

Impact

Severity: Critical — Arbitrary command execution in the container. An authenticated user could:

  • Read/modify container files (config, secrets, workspace data)
  • Exfiltrate environment variables including API keys
  • Modify the running OpenClaw process or its configuration

Recommendation

Either:

  1. Remove the endpoint entirely (it's a debug tool)
  2. Restrict to an allowlist of safe commands (e.g., openclaw --version, openclaw doctor)
  3. Add strict input validation to prevent shell metacharacters

Found during security review for #74 / PR #298.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions