Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.0
OpenClaw: Malicious Commands Can Still Be Stored
GHSA-9q2p-vc84-2rwm
Summary
OpenClaw's security feature to store trusted commands was not properly checking for comments, allowing malicious code to be stored and potentially executed. This was fixed in version 2026.3.7. If you use OpenClaw, update to the latest version to prevent this risk.
What to do
- Update openclaw to version 2026.3.7.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.3.7 | 2026.3.7 |
Original title
OpenClaw: system.run allow-always persistence included shell-commented payload tails
Original description
OpenClaw's `system.run` allowlist analysis did not honor POSIX shell comment semantics when deriving `allow-always` persistence entries.
A caller in `security=allowlist` mode who received an `allow-always` decision could submit a shell command whose tail was commented out at runtime, for example by using an unquoted `#` before a chained payload. The runtime shell would execute only the pre-comment portion, but allowlist persistence could still analyze and store the non-executed tail as a trusted follow-up command.
Latest published npm version: `2026.3.2`
Fixed on `main` on March 7, 2026 in `939b18475d734ed75173f59507e3ebbdfe1992b7` by teaching shell tokenization and chain/pipeline analysis to stop at unquoted shell comments, so allow-always persistence now tracks only commands that the shell can actually execute. Normal real chained commands and quoted `#` literals continue to work.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `<= 2026.3.2`
- Patched version: `>= 2026.3.7`
## Fix Commit(s)
- `939b18475d734ed75173f59507e3ebbdfe1992b7`
## Release Process Note
npm `2026.3.7` was published on March 8, 2026. This advisory is fixed in the released package.
Thanks @tdjackey for reporting.
A caller in `security=allowlist` mode who received an `allow-always` decision could submit a shell command whose tail was commented out at runtime, for example by using an unquoted `#` before a chained payload. The runtime shell would execute only the pre-comment portion, but allowlist persistence could still analyze and store the non-executed tail as a trusted follow-up command.
Latest published npm version: `2026.3.2`
Fixed on `main` on March 7, 2026 in `939b18475d734ed75173f59507e3ebbdfe1992b7` by teaching shell tokenization and chain/pipeline analysis to stop at unquoted shell comments, so allow-always persistence now tracks only commands that the shell can actually execute. Normal real chained commands and quoted `#` literals continue to work.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `<= 2026.3.2`
- Patched version: `>= 2026.3.7`
## Fix Commit(s)
- `939b18475d734ed75173f59507e3ebbdfe1992b7`
## Release Process Note
npm `2026.3.7` was published on March 8, 2026. This advisory is fixed in the released package.
Thanks @tdjackey for reporting.
osv CVSS3.1
5.0
Vulnerability type
CWE-436
CWE-863
Incorrect Authorization
Published: 9 Mar 2026 · Updated: 13 Mar 2026 · First seen: 9 Mar 2026