DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-7F4Q-9RQH-X36P: GHSA-7f4q-9rqh-x36p: Execution Allowlist Bypass in OpenClaw macOS via Basename Matching

#security #cve #cybersecurity #ghsa

GHSA-7f4q-9rqh-x36p: Execution Allowlist Bypass in OpenClaw macOS via Basename Matching

Vulnerability ID: GHSA-7F4Q-9RQH-X36P
CVSS Score: 7.5
Published: 2026-03-03

A logic vulnerability in the OpenClaw macOS application allowed attackers to bypass the optional execution allowlist (system.run) restrictions. The flaw existed in the ExecAllowlistMatcher component, which permitted command execution based solely on the filename (basename) of the target binary rather than its absolute path. This enabled malicious actors to execute arbitrary code by renaming malicious binaries to match allowed system commands (e.g., creating a malicious binary named echo to match an allowlist entry for echo), effectively circumventing the intended security policy.

TL;DR

OpenClaw's macOS allowlist failed to enforce path specificity, allowing execution of malicious binaries that shared a filename with allowed commands. Fixed in commit dd41fa by removing basename fallback matching.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability ID: GHSA-7f4q-9rqh-x36p
  • CWE ID: CWE-427
  • Attack Vector: Local
  • Impact: Security Bypass / Code Execution
  • Severity: High
  • Status: Patched

Affected Systems

  • OpenClaw macOS Desktop Application
  • OpenClaw macOS: < Feb 21 2026 (Fixed in: Feb 21 2026 Build)

Code Analysis

Commit: dd41fad

Remove insecure basename matching and enforce path patterns for allowlist

swift
- } else if self.matches(pattern: pattern, target: executableName) {
-     return entry
- }
+ if ExecAllowlistMatcher.isPathPattern(pattern) && 
+    self.matches(pattern: pattern, target: resolution.executablePath) {
+     return entry
+ }
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade OpenClaw macOS application to the latest version immediately.
  • Audit existing allowlists to ensure all entries use absolute paths (e.g., /usr/bin/python3 instead of python).
  • Restrict write access to directories where the OpenClaw agent operates to prevent the staging of malicious binaries.

Remediation Steps:

  1. Download the latest release of OpenClaw for macOS.
  2. Launch the application to trigger the automatic migration logic, which converts legacy basename allowlist entries to absolute paths.
  3. Open the Settings panel and verify the system.run allowlist configuration.
  4. Remove any entries that do not point to specific, trusted binary locations.

References

Read the full report for GHSA-7F4Q-9RQH-X36P on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)