GHSA-JJ82-76V6-933R: Execution Allowlist Bypass via Wrapper Injection in OpenClaw
Vulnerability ID: GHSA-JJ82-76V6-933R
CVSS Score: 6.6
Published: 2026-03-03
A critical protection mechanism failure in OpenClaw's execution allowlist logic allowed attackers to bypass security restrictions by nesting malicious commands inside permitted wrapper binaries. By failing to recursively analyze command arguments, the system permitted arbitrary code execution if a wrapper like 'env' or 'bash' was present in the allowed list.
TL;DR
OpenClaw's command validator only checked the primary executable name, ignoring arguments. Attackers could bypass the allowlist by passing malicious payloads as arguments to permitted wrappers like /usr/bin/env or /bin/bash.
⚠️ Exploit Status: POC
Technical Details
- Vulnerability Type: Protection Mechanism Failure
- CWE IDs: CWE-693, CWE-20
- CVSS v3.1: 6.6 (Medium/High)
- Attack Vector: Local / Remote (via API)
- Exploit Maturity: Proof of Concept Available
- Fixed Version: 2026.2.23
Affected Systems
- OpenClaw Gateway
- OpenClaw macOS Companion
-
OpenClaw: <= 2026.2.22 (Fixed in:
2026.2.23)
Code Analysis
Commit: 2b63592
fix: unwrapping logic for exec approvals to prevent shell dispatch bypass
Exploit Details
-
GitHub: The fix commit contains test cases demonstrating the bypass using
envandsh.
Mitigation Strategies
- Upgrade to OpenClaw v2026.2.23
- Remove generic shell wrappers from safeBins
- Enable Sandbox Mode for isolation
- Limit recursion depth in custom policies
Remediation Steps:
- Pull the latest Docker image or binary for OpenClaw Gateway.
- Verify the version is >= 2026.2.23.
- Audit
config.yamlor the policy database to removeenv,bash,sh,powershell, andcmd.exefrom thesafeBinslist. - Restart the OpenClaw service.
References
Read the full report for GHSA-JJ82-76V6-933R on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)