Home / Vulnerability Intelligence / CVE-2026-35570

CVE-2026-35570 - Vulnerability Analysis

HighCVSS: 8.4

Last Updated: April 21, 2026

OpenClaude - Broken Access Control

Published: April 21, 2026Updated: April 21, 2026PoC Available

Overview

OpenClaude < 0.5.1 contains a broken access control caused by a logic flaw in bashToolHasPermission() allowing path traversal sequences to bypass directory restrictions, letting attackers execute commands outside allowed paths, exploit requires sandbox auto-allow enabled with no explicit deny rules.

Severity & Score

Severity: High

CVSS Score: 8.4

Impact

Attackers can bypass directory restrictions to execute commands accessing unauthorized file paths, potentially leading to data exposure or system compromise.

Mitigation

Update to version 0.5.1 or later.

References

https://github.com/Gitlawb/openclaude/commit/7002cb302b78ea2a19da3f26226de24e2903fa1d
https://github.com/Gitlawb/openclaude/security/advisories/GHSA-m6rx-7pvw-2f73

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-35570
Severity: High
CVSS Score: 8.4
Type: broken_access_control
Status: new

CWE

CWE-22

CVSS Metrics

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N