DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-48WF-G7CP-GR3M: GHSA-48WF-G7CP-GR3M: OpenClaw Allowlist Bypass via 'env -S'

#security #cve #cybersecurity #ghsa

GHSA-48WF-G7CP-GR3M: OpenClaw Allowlist Bypass via 'env -S'

Vulnerability ID: GHSA-48WF-G7CP-GR3M
CVSS Score: 8.8
Published: 2026-03-03

A critical security bypass exists in OpenClaw's execution guard mechanism, allowing attackers to circumvent binary allowlists using the env utility's split-string feature. By leveraging env -S, an attacker can execute arbitrary commands even when the system is configured to restrict execution to specific safe binaries. This vulnerability stems from a semantic mismatch between the policy engine's validation logic and the runtime behavior of command-line wrappers.

TL;DR

OpenClaw's allowlist can be bypassed using env -S to execute arbitrary commands. The fix distinguishes between transparent wrappers and semantic execution modifiers, blocking dangerous flags.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-78
  • Attack Vector: Local (via Agent)
  • CVSS Score: 8.8
  • Impact: Arbitrary Code Execution
  • Exploit Status: PoC Available
  • Remediation: Patch Available

Affected Systems

  • OpenClaw (Moltbot/ClawdBot) < v2026.2.24
  • OpenClaw: < v2026.2.24 (Fixed in: v2026.2.24)

Code Analysis

Commit: a1c4bf0

fix(security): harden exec wrapper allowlist execution parity

Commit: 3f923e8

test: add env -S allowlist bypass regressions

Mitigation Strategies

  • Upgrade OpenClaw to version v2026.2.24 or later immediately.
  • Audit existing allowlists to remove generic wrappers like env, sh, or bash unless strictly necessary.
  • Implement strict argument validation for any allowlisted binary that accepts sub-commands.

Remediation Steps:

  1. Pull the latest version of the OpenClaw repository or Docker image.
  2. Verify the installation of the patch by checking for the fix(security) commit hash a1c4bf07c6baad3ef87a0e710fe9aef127b1f606.
  3. Review the config.yaml or relevant policy file to ensure safeBins does not include unnecessary broad-scope binaries.
  4. Restart the OpenClaw service to apply the new execution guard logic.

References

Read the full report for GHSA-48WF-G7CP-GR3M on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)