DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-GWQP-86Q6-W47G: GHSA-GWQP-86Q6-W47G: Execution Approval Bypass via Shell Multiplexers in OpenClaw

#security #cve #cybersecurity #ghsa

GHSA-GWQP-86Q6-W47G: Execution Approval Bypass via Shell Multiplexers in OpenClaw

Vulnerability ID: GHSA-GWQP-86Q6-W47G
CVSS Score: High
Published: 2026-03-02

A high-severity logic vulnerability exists in the OpenClaw AI assistant's execution authorization engine. The flaw resides in the 'allow-always' persistence mechanism, which fails to correctly handle shell multiplexers such as BusyBox and Toybox. By authorizing a single benign command routed through a multiplexer, a user inadvertently grants permanent, blanket execution privileges to the multiplexer binary itself. This allows an attacker or malicious prompt to bypass subsequent user approval prompts and execute arbitrary commands using the same multiplexer binary.

TL;DR

OpenClaw failed to distinguish between shell multiplexers (like BusyBox) and standard executables. If a user 'always allowed' a benign BusyBox command, the system allowlisted the BusyBox binary path. Attackers could then use BusyBox to run arbitrary malicious commands without user approval.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Type: Execution Approval Bypass
  • CWE ID: CWE-693 (Protection Mechanism Failure)
  • Affected Component: Authorization Engine / Persistence Layer
  • Attack Vector: Local / User-Assisted
  • Impact: Arbitrary Code Execution
  • Severity: High

Affected Systems

  • OpenClaw AI Assistant
  • openclaw (NPM package)
  • openclaw: <= 2026.2.22-2 (Fixed in: 2026.2.22-3)

Code Analysis

Commit: a67689a

Fix execution approval bypass for shell multiplexers

Mitigation Strategies

  • Upgrade to patched version 2026.2.22-3
  • Audit and sanitize existing allow-always lists
  • Restrict availability of shell multiplexers in the execution environment

Remediation Steps:

  1. Stop the OpenClaw service.
  2. Update the npm package: npm install openclaw@latest.
  3. Inspect the security.allowlist (or equivalent config file).
  4. Remove lines referencing busybox or toybox.
  5. Restart the service.

References

Read the full report for GHSA-GWQP-86Q6-W47G on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)