Fixed in OpenClaw 2026.3.24, the current shipping release.

Advisory Details

Title: Incomplete Fix for CVE-2026-27486: Unvalidated SIGKILL in !stop Chat Command via shell-utils.ts

Description:

Summary

The !stop (and /bash stop) chat command kills background bash processes using SIGKILL directly, without first sending SIGTERM to allow graceful shutdown. This is because bash-command.ts imports killProcessTree() from src/agents/shell-utils.ts, which still contains the pre-CVE-2026-27486 aggressive kill logic, rather than from the patched src/process/kill-tree.ts.

Details

CVE-2026-27486 fixed unsafe process termination by introducing a graceful shutdown sequence in src/process/kill-tree.ts — sending SIGTERM first, waiting a configurable grace period (default 3 seconds), then escalating to SIGKILL only if the process is still alive.

However, an identical copy of the unpatched killProcessTree function remains in src/agents/shell-utils.ts (lines 170–192). This function sends SIGKILL immediately with no SIGTERM:

// src/agents/shell-utils.ts:170-192
export function killProcessTree(pid: number): void {
  // ... Windows handling ...
  try {
    process.kill(-pid, "SIGKILL"); // Immediate hard kill, no SIGTERM
  } catch {
    try {
      process.kill(pid, "SIGKILL");
    } catch {
      // process already dead
    }
  }
}

The !stop chat command handler in src/auto-reply/reply/bash-command.ts imports and calls this vulnerable version at line 302:

// src/auto-reply/reply/bash-command.ts:5
import { killProcessTree } from "../../agents/shell-utils.js";

// src/auto-reply/reply/bash-command.ts:300-304
const pid = running.pid ?? running.child?.pid;
if (pid) {
  killProcessTree(pid);  // Calls the UNPATCHED version
}
markExited(running, null, "SIGKILL", "failed");

Compare this to the patched version in src/process/kill-tree.ts:

// src/process/kill-tree.ts:46-78
function killProcessTreeUnix(pid: number, graceMs: number): void {
  // Step 1: Try graceful SIGTERM to process group
  try {
    process.kill(-pid, "SIGTERM");
  } catch { /* ... */ }

  // Step 2: Wait grace period, then SIGKILL if still alive
  setTimeout(() => {
    if (isProcessAlive(-pid)) {
      try { process.kill(-pid, "SIGKILL"); } catch { /* ... */ }
    }
  }, graceMs).unref();
}

PoC

This PoC demonstrates the difference between the vulnerable and patched code paths inside a running OpenClaw Gateway container.

Setup:

# Build and start the gateway container
cd CVE-2026-27486-variant-exp/
docker compose up -d
sleep 5

Exploit (vulnerable killProcessTree from shell-utils.ts):

The following script is injected into the container and executed. It starts a bash process that traps SIGTERM for graceful shutdown, then kills it using the same code path as !stop:

// exploit_sigkill.cjs — replicates src/agents/shell-utils.ts:183-190
const { spawn } = require('child_process');
const fs = require('fs');

try { fs.unlinkSync('/tmp/graceful_shutdown.txt'); } catch {}

const child = spawn('/bin/bash', ['-c',
  'trap \'echo GRACEFUL_SHUTDOWN > /tmp/graceful_shutdown.txt; exit 0\' SIGTERM; while true; do sleep 1; done'
], { detached: true, stdio: 'ignore' });
child.unref();

setTimeout(() => {
  // VULNERABLE: same as shell-utils.ts — SIGKILL only
  try { process.kill(-child.pid, 'SIGKILL'); } catch {
    try { process.kill(child.pid, 'SIGKILL'); } catch {}
  }
  setTimeout(() => {
    if (fs.existsSync('/tmp/graceful_shutdown.txt')) {
      console.log('[BLOCKED] SIGTERM was received.');
      process.exit(1);
    } else {
      console.log('[EXPLOITED] SIGKILL sent directly — SIGTERM never delivered.');
      process.exit(0);
    }
  }, 2000);
}, 1000);

Run:

python3 poc_exploit.py

Log of Evidence

Exploit output (SIGKILL only, no graceful shutdown):

[*] Running exploit (vulnerable killProcessTree from shell-utils.ts)...
[*] Victim PID: 78
[*] Calling vulnerable killProcessTree (SIGKILL only, no SIGTERM)...
[EXPLOITED] SIGKILL sent directly — SIGTERM never delivered.
[EXPLOITED] Graceful shutdown handler was NEVER invoked.

[SUCCESS] CVE-2026-27486 variant confirmed:
  killProcessTree() in shell-utils.ts sends immediate SIGKILL,
  bypassing the graceful shutdown fix in process/kill-tree.ts.

Control output (SIGTERM first, graceful shutdown works):

[*] Running control (patched killProcessTree from process/kill-tree.ts)...
[*] Victim PID: 93
[*] Calling patched killProcessTree (SIGTERM first, then SIGKILL after grace)...
[NORMAL] SIGTERM received — graceful shutdown completed. Flag: GRACEFUL_SHUTDOWN

[NORMAL] Control confirmed: patched killProcessTree sends SIGTERM first,
         allowing graceful shutdown before escalating to SIGKILL.

Impact

When !stop is used, background processes are killed instantly via SIGKILL with no chance to perform cleanup. This can result in:

• Data corruption: processes writing to files or databases are interrupted mid-write
• Resource leaks: temporary files, lock files, and network connections are not properly released
• Security-sensitive cleanup skipped: operations like erasing in-memory secrets or completing audit logs are bypassed

This is the same class of impact that CVE-2026-27486 was filed for — the fix simply missed the shell-utils.ts copy of the function.

Affected products

• Ecosystem: npm
• Package name: openclaw
• Affected versions: <= 2026.3.14
• Patched versions:

Severity

• Severity: Medium
• Vector string: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

Weaknesses

• CWE: CWE-404: Improper Resource Shutdown or Release

Occurrences

References

• GHSA-3298-56p6-rpw2
• GHSA-jfv4-h8mc-jcp8