Severity by source
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:L and AC:H reflect local-only, allowlist-configuration-dependent exploitation; PR:L per CVSS 4.0 source; no availability impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2Blast Radius
ecosystem impact- 1 npm packages depend on openclaw (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 2026.5.6.
DescriptionCVE.org
OpenClaw before 2026.5.6 contains an allowlist bypass vulnerability in the macOS Swift exec feature that misses combined POSIX inline-command flags. Attackers can execute shell content outside the intended allowlist check by using combined flag forms, potentially allowing unauthorized command execution depending on operator configuration.
AnalysisAI
OpenClaw's macOS Swift exec feature fails to correctly evaluate combined POSIX inline-command flags against its configured command allowlist, enabling a local low-privileged attacker to execute shell content that should be blocked. Affected versions are all OpenClaw releases before 2026.5.6 on macOS. Exploitation depends on an operator-configured allowlist being in place - when that allowlist is configured, a local user can bypass it entirely by using combined flag forms (e.g., -abc instead of -a -b -c), achieving high confidentiality and integrity impact. No public exploit code or CISA KEV listing has been identified at time of analysis.
Technical ContextAI
OpenClaw (CPE: cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*) implements a Swift-based exec feature on macOS that evaluates user-supplied commands against an operator-defined allowlist before execution. The root cause is CWE-184 (Incomplete List of Disallowed Inputs): the allowlist validation logic tokenizes or parses command-line flags individually and does not normalize combined POSIX short-option forms (e.g., -rfc being equivalent to -r -f -c). Because combined flag forms are not decomposed prior to allowlist comparison, they are treated as unknown/unrecognized tokens that fall outside the check, bypassing the intended restriction. This is a parsing inconsistency between how the allowlist engine interprets flags and how the underlying shell or exec syscall interprets them, a common class of security bypass in command filtering implementations on POSIX-compatible systems.
RemediationAI
Upgrade OpenClaw to version 2026.5.6 or later, which resolves the incomplete allowlist parsing by correctly normalizing combined POSIX inline-command flags before allowlist evaluation. The vendor patch is documented at https://github.com/openclaw/openclaw/security/advisories/GHSA-c226-q6fx-6j6c. As a compensating control for environments that cannot immediately upgrade, operators may disable the macOS Swift exec feature entirely if it is not operationally required - this eliminates the attack surface at the cost of losing exec functionality. If the feature must remain active, restricting the set of permitted local users who can invoke it (via OS-level access controls or sandboxing) reduces the pool of potential attackers, though it does not fix the underlying bypass. Tightening the allowlist to block all short combined flag patterns is not a reliable mitigation, as the number of possible combined forms is combinatorially large.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same weakness CWE-184 – Incomplete List of Disallowed Inputs
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37163
GHSA-c226-q6fx-6j6c