Logic Flaw in OpenClaude Command Line Interface by Gitlawb
CVE-2026-35570

8.4HIGH

Key Information:

Vendor: Gitlawb
Status: Openclaude
Vendor: CVE Published:; 20 April 2026

What is CVE-2026-35570?

OpenClaude, an open-source command line interface for cloud and local model providers, contains a logic flaw in its permission handling mechanism. Specifically, in versions prior to 0.5.1, the function bashToolHasPermission() improperly evaluates permission permissions when the sandbox auto-allow feature is activated without an explicit deny rule configured. This flaw results in a scenario where commands with path traversal sequences can bypass directory restrictions entirely. This vulnerability undermines the integrity and security of command execution by allowing unauthorized access to sensitive system files. Patch version 0.5.1 addresses this issue effectively.

Affected Version(s)

openclaude < 0.5.1

References

https://github.com/Gitlawb/openclaude/security/advisories...

x_refsource_CONFIRM

https://github.com/Gitlawb/openclaude/commit/7002cb302b78...

x_refsource_MISC

CVSS V3.1

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 20, 2026
Vulnerability Reserved
Apr 3, 2026

CVE-2026-35570 Data

JSON