Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Authenticated operator (PR:L) submits crafted system.run over the network (AV:N/AC:L, UI:N); primary described impact is sensitive file read (C:H) with limited integrity from command reinterpretation (I:L) and no availability impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
OpenClaw before 2026.5.18 contains a policy enforcement vulnerability in system.run safe-bin allowlist validation that allows shell expansion to modify command interpretation on POSIX nodes. Authenticated operators can exploit shell metacharacters in approved commands to read unintended node-local files and expose sensitive configuration data.
AnalysisAI
Information disclosure in OpenClaw before 2026.5.18 lets authenticated operators abuse shell metacharacter expansion within the system.run safe-bin allowlist to read unintended node-local files on POSIX nodes and exfiltrate sensitive configuration data. The flaw bypasses command-policy enforcement because the allowlist validates a literal command string while the underlying shell re-interprets it at execution time. No public exploit identified at time of analysis.
Technical ContextAI
OpenClaw exposes a system.run capability that vets requested commands against a safe-bin allowlist before dispatching them to managed nodes. On POSIX nodes the command is handed to a shell, so wildcards, brace expansion, command substitution ($()/backticks), variable expansion, and IFS handling can alter which binary actually runs or which paths are read after the allowlist check. CWE-367 (Time-of-check Time-of-use) characterizes this gap: the policy engine checks a stable, vetted string but the shell re-parses and expands it before execution, opening a window where the operator-supplied operand changes the effective command. The affected CPE is cpe:2.3:a:openclaw:openclaw:* on POSIX-based deployments.
RemediationAI
Vendor-released patch: OpenClaw 2026.5.18 - upgrade to this version or later per advisory GHSA-mhq8-78pj-5j79 (https://github.com/openclaw/openclaw/security/advisories/GHSA-mhq8-78pj-5j79). If immediate upgrade is not possible, tighten operator role assignments to the minimum trusted set and scope or disable the system.run capability on POSIX nodes; route approved commands through an execve-style invocation that does not spawn a shell, which removes metacharacter expansion at the cost of breaking legitimate uses that rely on globs or pipelines; and enable auditing of system.run arguments for shell metacharacters (` `, $(, *, ?, |, ;, &, <, >`) to surface abuse attempts. Each workaround reduces operator productivity by limiting legitimate command flexibility, so prefer the patch.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36619
GHSA-gwcq-453v-2frr