Severity by source
CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in the safeBins configuration that allows attackers to invoke external helpers through the compress-program option. When sort is explicitly added to tools.exec.safeBins, remote attackers can bypass intended safe-bin approval constraints by leveraging the compress-program parameter to execute unauthorized external programs.
AnalysisAI
OpenClaw versions before 2026.2.22 allow local attackers with high privileges to execute arbitrary commands through a safeBins allowlist bypass in the compress-program option, enabling unauthorized external program execution despite security constraints. The vulnerability exploits improper validation of the sort tool configuration to circumvent intended access controls. A patch is available to remediate this command injection flaw.
Technical ContextAI
The vulnerability is rooted in CWE-78 (Improper Neutralization of Special Elements used in an OS Command, aka OS Command Injection), stemming from inadequate validation of the compress-program parameter within OpenClaw's safeBins configuration mechanism. OpenClaw (as identified via CPE cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*) implements a safeBins allowlist to restrict which external helper programs can be invoked during processing operations. The flaw occurs when the sort tool is explicitly added to tools.exec.safeBins; attackers can then abuse the compress-program option to bypass the intended approval constraints and invoke unauthorized external programs. This represents a classic case of authentication/authorization bypass through parameter injection, where a trusted configuration option becomes a vector for privilege escalation or lateral movement.
RemediationAI
Upgrade OpenClaw to version 2026.2.22 or later, which includes the fix committed at https://github.com/openclaw/openclaw/commit/57fbbaebca4d34d17549accf6092ae26eb7b605c. Organizations unable to patch immediately should review their safeBins configuration and explicitly remove the sort utility from tools.exec.safeBins unless it is absolutely required; additionally, enforce the principle of least privilege for accounts running OpenClaw processes to minimize the window of opportunity for exploitation. Network-level controls should restrict access to OpenClaw instances to trusted administrative users and services only.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12710
GHSA-vmqr-rc7x-3446