# CVE-to-Mitigation Map How Claude Code's architecture and configuration defend against each OpenClaw CVE disclosed in March 2026. Each row links a specific vulnerability to the defense mechanism and where it is configured in this repository. ## Mapping | CVE | CVSS | Attack | Claude Code defense | Where configured | Defense type | |-----|------|--------|-------------------|------------------|-------------| | CVE-2026-22172 | 9.9 | Client self-declares admin scope | Single-user architecture — no scope model, no multi-user auth layer | Architecture (inherent) | Eliminated | | CVE-2026-25253 | 8.8 | WebSocket hijack (one-click RCE) | No gateway, no listening port, no WebSocket server | Architecture (inherent) | Eliminated | | CVE-2026-22171 | 8.2 | Arbitrary file write via media path traversal | `pre-write-pathguard.mjs` blocks writes to sensitive paths; settings.json deny list blocks destructive commands | llm-security hook + `.claude/settings.json` | Blocked | | CVE-2026-32048 | 7.5 | Sandbox child process escape | Scoped Bash permissions (16 specific commands, not `Bash(*)`); `pre-bash-destructive.mjs` blocks dangerous patterns | `.claude/settings.json` allow list + llm-security hook | Blocked | | CVE-2026-32025 | 7.5 | Brute force on localhost auth | No authentication endpoint — single-user, no network service | Architecture (inherent) | Eliminated | | CVE-2026-32049 | 7.5 | DoS via oversized media payload | No media ingestion endpoint — files processed locally, no upload handler | Architecture (inherent) | Eliminated | | CVE-2026-32032 | 7.0 | Shell injection via SHELL env variable | `pre-bash-destructive.mjs` validates commands; scoped Bash permissions restrict allowed executables | llm-security hook + `.claude/settings.json` | Blocked | | CVE-2026-29607 | 6.4 | Approve-then-swap (approval bypass) | Deterministic hook validation on every call (no cached approvals); `post-mcp-verify.mjs` scans all tool output | llm-security hooks | Blocked | | CVE-2026-28460 | 5.9 | Line-continuation allowlist bypass | Permission matching in settings.json is not regex-based; hooks validate the actual command, not a display string | `.claude/settings.json` + hooks | Blocked | ## Defense layers Claude Code's security is layered. No single mechanism is sufficient alone: ``` Layer 1: Architecture └─ No gateway, no ports, no multi-user auth └─ Eliminates: CVE-22172, CVE-25253, CVE-32025, CVE-32049 Layer 2: Permission model (settings.json) └─ Scoped Bash grants (16 specific commands) └─ 26-pattern deny list └─ Write/Edit require explicit user approval └─ Mitigates: CVE-32048, CVE-28460 Layer 3: Hook enforcement (llm-security plugin) └─ PreToolUse: block before execution └─ PostToolUse: scan output after execution └─ UserPromptSubmit: block prompt injection └─ Mitigates: CVE-22171, CVE-32032, CVE-29607, CVE-30741 Layer 4: Runtime monitoring (llm-security plugin) └─ Session guard: sliding window anomaly detection └─ MCP verify: description drift + volume tracking └─ Supply chain: package audit on every install └─ Detects: compound attack chains, slow exfiltration ``` ## What this does NOT cover - **Kernel-level isolation:** NemoClaw (Landlock, seccomp, netns) provides stronger containment than hooks. Hooks prevent the agent from *attempting* dangerous operations; kernel isolation contains the damage if prevention fails. - **Multi-tenant separation:** Claude Code is single-user. For multi-tenant scenarios, each user needs their own instance. - **Network egress filtering:** Claude Code communicates with Anthropic's API over HTTPS. It does not restrict other outbound connections. Use OS-level firewall rules for egress control. ## Prompt injection (CVE-2026-30741) Not in the original 9 CVEs but documented in OpenClaw's security advisories. The llm-security plugin provides 3-layer defense: 1. **Input scanning** (`pre-prompt-inject-scan.mjs`): Blocks injection patterns in user prompts before the LLM sees them. Configurable: block, warn, or off. 2. **Output scanning** (`post-mcp-verify.mjs`): Scans ALL tool output for injection attempts, HTML content traps, and suspicious patterns. Catches injection via MCP tool responses. 3. **Session pattern detection** (`post-session-guard.mjs`): Detects the "lethal trifecta" — untrusted input combined with sensitive data access and an exfiltration sink — using a sliding window of 20 tool calls. ## Supply chain (ClawHub malware) Not a CVE but a documented incident: 824 malicious skills found in ClawHub marketplace (the ClawHavoc campaign). The llm-security plugin's `pre-install-supply-chain.mjs` hook covers 7 package managers with: - Per-ecosystem blocklists for known malicious packages - Age gate (packages < 72 hours old are flagged) - npm audit integration (critical = block, high = warn) - PyPI API inspection for suspicious metadata - Levenshtein-based typosquat detection - OSV.dev batch API for known vulnerabilities ## Sources CVE data from NVD and OpenClaw security advisories (March 2026). See `openclaw-security-assessment.md` for full analysis with statistics and category-by-category comparison.