Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Lifecycle Timeline
4DescriptionCVE.org
OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in system.run exec analysis that fails to unwrap env and shell-dispatch wrapper chains. Attackers can route execution through wrapper binaries like env bash to smuggle payloads that satisfy allowlist entries while executing non-allowlisted commands.
AnalysisAI
OpenClaw contains an allowlist bypass vulnerability in its system.run exec analysis that fails to properly unwrap wrapper binaries like env and bash. Attackers with low-level privileges can chain wrapper binaries to smuggle malicious commands that appear to satisfy allowlist entries while actually executing non-allowlisted payloads. A patch is available from the vendor, and the vulnerability was disclosed through VulnCheck advisory; no public proof-of-concept code or active exploitation (KEV listing) has been reported at this time.
Technical ContextAI
The vulnerability affects OpenClaw (cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*) versions prior to 2026.2.22 and is rooted in CWE-78 (Improper Neutralization of Special Elements used in an OS Command). The issue arises from insufficient validation in system.run's exec analysis logic, which implements an allowlist approach to restrict executable commands. However, the validation mechanism fails to recursively unwrap wrapper binary chains such as env bash -c or similar shell-dispatch constructs. This allows attackers to nest wrappers that individually pass allowlist checks but ultimately execute arbitrary commands when the chain is resolved by the operating system. The flaw represents a classic allowlist bypass through indirection, where the security control validates the outermost wrapper (e.g., /usr/bin/env) without inspecting the complete command execution chain that follows.
RemediationAI
Upgrade OpenClaw to version 2026.2.22 or later, which includes the fix implemented in commit 2b63592be57782c8946e521bc81286933f0f99c7 available at https://github.com/openclaw/openclaw/commit/2b63592be57782c8946e521bc81286933f0f99c7. Review the vendor security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-jj82-76v6-933r for complete upgrade instructions and any additional security recommendations. As a temporary mitigation until patching is complete, restrict access to system.run functionality to only highly trusted administrative users, implement additional input validation or sandboxing controls at the application layer, and monitor system logs for suspicious command execution patterns involving wrapper binaries like env, bash, or sh with unexpected argument chains. Consider implementing application-level allowlists that recursively parse and validate entire command chains rather than only the initial executable.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13007
GHSA-jj82-76v6-933r