Severity Assessment

CVSS Assessment

Threat Model Alignment

Classification: security-specific

This finding crosses the trusted host/config boundary described in openclaw/SECURITY.md and openclaw/docs/gateway/security/index.md: remote provider responses are untrusted external input and should not become host execution on the gateway. In v2026.4.9, MiniMax verification_uri and Ollama signin_url values still flow into the Windows cmd /c start browser launcher without inner-quote escaping. The Out of Scope list excludes prompt-injection-only chains, trusted-operator local features, and hostile multi-tenant assumptions, but none of those exceptions cover a provider-controlled string reaching host command execution.

Impact

On Windows, a malicious or compromised provider response can turn an OAuth or sign-in URL into arbitrary command execution on the gateway host. openUrl() wraps the raw URL in quotes for cmd /c start but does not escape embedded double quotes, so a provider-supplied payload like https://example.invalid/" & calc & rem " breaks out of the quoted URL and runs attacker-controlled commands as the local OpenClaw user.

Affected Component

File: src/infra/browser-open.ts:37-42,89-103

if (platform === "win32") {
  return {
    argv: ["cmd", "/c", "start", ""],
    command: "cmd",
    quoteUrl: true,
  };
}

const quoteUrl = resolved.quoteUrl === true;
const command = [...resolved.argv];
if (quoteUrl) {
  if (command.at(-1) === "") {
    command[command.length - 1] = '""';
  }
  command.push(`"${url}"`);
}
await runCommandWithTimeout(command, {
  timeoutMs: 5_000,
  windowsVerbatimArguments: quoteUrl,
});

Technical Reproduction

1. Use a Windows OpenClaw host on release v2026.4.9 and start an interactive provider auth flow that calls openUrl(), such as MiniMax portal OAuth or Ollama Cloud sign-in.
2. Return a crafted provider URL containing an injected closing quote and command separator, for example https://example.invalid/" & calc & rem ".
3. MiniMax still reads verification_uri from the provider JSON response and calls await params.openUrl(verificationUrl) at extensions/minimax/oauth.ts:193-205; Ollama still reads signin_url from /api/me and calls await params.openUrl(authResult.signinUrl) at extensions/ollama/src/setup.ts:84-86,366-370.
4. On Windows, openUrl() still constructs cmd /c start "" "https://example.invalid/" & calc & rem "" and launches it with windowsVerbatimArguments: true, so cmd.exe executes the injected command on the host.

Demonstrated Impact

• src/plugins/provider-auth-choice.ts:111-124 and src/commands/models/auth.ts:293-304 still hand provider auth methods a host-local openUrl(url) callback, so interactive provider auth reaches the platform browser opener.
• extensions/minimax/oauth.ts:88-98,193-205 still accepts verification_uri from the provider response, checks only presence plus PKCE state, and then forwards the raw string to params.openUrl(verificationUrl).
• extensions/ollama/src/setup.ts:84-86,366-370 still reads signin_url from /api/me and, in non-remote interactive mode, forwards that raw response field to params.openUrl(authResult.signinUrl).
• src/process/exec.ts:15-42,103-114 still contains escapeForCmdExe() and the metacharacter rejection regex, but that protection is only applied when OpenClaw decides it is launching a .cmd or .bat target. openUrl() launches cmd directly, so the URL bypasses that escaping path entirely.
• Prevalence checks show the issue is specific rather than universal: extensions/google/oauth.ts:35-58 opens a locally generated auth URL, and extensions/github-copilot/login.ts:146-149 displays verification_uri to the user instead of passing it into openUrl().
• Release verification against v2026.4.9 (60db001e96ff96fe8796b3a9ff1b93125cceaa2e) confirms the vulnerable sink and both provider call paths are still present in the shipped tag.

Environment

• Verified release: v2026.4.9 (60db001e96ff96fe8796b3a9ff1b93125cceaa2e), published 2026-04-09T02:25:28Z.
• Platform: Windows only (process.platform === "win32"). macOS uses open, and Linux or WSL use xdg-open or wslview instead of cmd.exe.
• Trigger path: Interactive provider auth flows that open a browser locally.
• Prerequisites: The operator starts the auth flow, and the provider response can supply a crafted URL string, for example through a hostile or compromised auth endpoint or an attacker-controlled remote Ollama service.

Remediation Advice

Treat provider-returned browser URLs as untrusted input before any Windows launch step. Parse and scheme-validate the URL, reject embedded quotes and cmd.exe metacharacters, and replace the current cmd /c start path with a Windows opener that does not depend on manual shell quoting.