DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-4685-C5CP-VP95: OpenClaw Open Wide: Bypassing 'Safe' Execution with Basic Unix Flags

#security #cve #cybersecurity #ghsa

OpenClaw Open Wide: Bypassing 'Safe' Execution with Basic Unix Flags

Vulnerability ID: GHSA-4685-C5CP-VP95
CVSS Score: 4.3
Published: 2026-02-19

The road to remote code execution is often paved with good intentions and 'safe' lists. OpenClaw, an execution approval system, attempted to reduce user friction by allowing specific 'safe binaries' (like grep and sort) to run without manual approval, provided they only accepted input from stdin. Unfortunately, the developers underestimated the sheer power of 50-year-old Unix utilities. By failing to account for binary-specific flags that override standard I/O streams, the system allowed attackers to turn a simple text sorter into an arbitrary file writer and a text searcher into a recursive filesystem exfiltrator. This vulnerability highlights the classic security pitfall of blacklisting arguments instead of whitelisting strict behaviors.

TL;DR

OpenClaw's safeBins feature intended to allow harmless tools to run automatically. However, it failed to block dangerous flags like sort -o (write output to file) and grep -r (recursive read). This allowed attackers to bypass the 'stdin-only' restriction, leading to Arbitrary File Write and Arbitrary File Read vulnerabilities.

⚠️ Exploit Status: POC

Technical Details

  • Component: openclaw/safeBins
  • Attack Vector: Local / Agent Command Injection
  • Vulnerability Type: Argument Injection / Logic Flaw
  • CVSS: 4.3 (Medium)
  • Impact: Arbitrary File Read/Write
  • Exploit Status: PoC Available

Affected Systems

  • openclaw (npm)
  • openclaw: < 0.1.18 (Fixed in: 0.1.18)

Code Analysis

Commit: cfe8457

fix(exec-allowlist): harden safe bin check

+ const SAFE_BIN_OPTION_POLICIES = { sort: ['-o', '--output'], grep: ['-r', ...]}
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Strict Flag Allowlisting: Never assume a binary is safe. Whitelist specific flags (e.g., only allow grep -v or sort -n) rather than blacklisting known bad ones.
  • Sandbox Execution: Run these tools in a container or jail where filesystem access is restricted at the OS level, rendering -o or -r useless.
  • Full Command Matching: Instead of approving the binary, approve the exact command string including arguments.

Remediation Steps:

  1. Update openclaw to version 0.1.18 or later immediately.
  2. Audit your tools.exec.safeBins configuration. If you manually re-enable grep or sort, ensure you understand the risks.
  3. Remove sort, grep, head, tail, and wc from any custom safe lists if you cannot guarantee they won't be abused.

References

Read the full report for GHSA-4685-C5CP-VP95 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)