Severity by source
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
OpenClaw versions prior to 2026.2.19 tools.exec.safeBins contains an input validation bypass vulnerability that allows attackers to execute unintended filesystem operations through sort output flags or recursive grep flags. Attackers with command execution access can leverage sort -o flag for arbitrary file writes or grep -R flag for recursive file reads, circumventing intended stdin-only restrictions.
AnalysisAI
OpenClaw versions prior to 2026.2.19 contain an input validation bypass in the tools.exec.safeBins component that allows local attackers with command execution privileges to circumvent stdin-only restrictions and perform arbitrary filesystem operations. By exploiting sort output flags (specifically the -o flag for arbitrary file writes) or recursive grep flags (-R for recursive file reads), authenticated attackers can read sensitive files or overwrite critical files despite intended access controls. While the CVSS score of 3.6 is moderate and requires local access with low privileges, the vulnerability represents a privilege escalation or sandbox escape technique rather than a critical remote exploit.
Technical ContextAI
The vulnerability exists in OpenClaw's safeBins execution wrapper (a security-conscious command execution abstraction), which attempts to restrict command-line tools to stdin-only operation to prevent unintended filesystem side effects. However, the input validation logic fails to sanitize dangerous command-line flags specific to GNU utilities. The sort command's -o (output file) flag and grep's -R (recursive directory traversal) flag are not properly blocked, allowing attackers to bypass the intended restriction model. This is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command, aka OS Command Injection), though technically it is a flag injection rather than full command injection. The affected product OpenClaw (CPE: cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*) is an application security or development tool that depends on safe command execution for sandboxing or restricted execution environments.
RemediationAI
Immediately upgrade OpenClaw to version 2026.2.19 or later, which includes the fix committed at https://github.com/openclaw/openclaw/commit/2c05cbb43e48ebad03626d3125746fb1b9a8520f. This patch adds proper input validation to reject dangerous command-line flags (sort -o, grep -R, and similar filesystem-modifying flags) before execution. Organizations unable to patch immediately should restrict command execution access within OpenClaw to highly trusted users only, disable or sandbox the tools.exec.safeBins component if unused, and implement host-level file access controls (read-only mounts, SELinux/AppArmor policies) to limit the blast radius of potential flag-injection attacks. Monitor OpenClaw activity logs for suspicious sort or grep invocations with output redirection flags.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13031
GHSA-4685-c5cp-vp95