EUVD-2026-13007
GHSA-jj82-76v6-933r
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Lifecycle Timeline
4Description
OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in system.run exec analysis that fails to unwrap env and shell-dispatch wrapper chains. Attackers can route execution through wrapper binaries like env bash to smuggle payloads that satisfy allowlist entries while executing non-allowlisted commands.
Analysis
OpenClaw contains an allowlist bypass vulnerability in its system.run exec analysis that fails to properly unwrap wrapper binaries like env and bash. Attackers with low-level privileges can chain wrapper binaries to smuggle malicious commands that appear to satisfy allowlist entries while actually executing non-allowlisted payloads. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all systems running OpenClaw and assess exposure level; notify relevant team leads of vulnerability status. Within 7 days: Apply vendor patch to all non-production OpenClaw instances and conduct testing in staging environment to validate compatibility and functionality. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today