Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.0
OpenClaw: Malicious Commands Can Bypass Shell Approval in Certain Scenarios
GHSA-r6qf-8968-wj9q
Summary
OpenClaw, a tool for running commands, has a security issue that allows malicious commands to bypass shell approval in certain situations. This could potentially allow unauthorized actions to be executed without proper review. To fix this issue, update to version 2026.3.7 or later.
What to do
- Update openclaw to version 2026.3.7.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.3.2 | 2026.3.7 |
Original title
OpenClaw: system.run wrapper-depth boundary could skip shell approval gating
Original description
OpenClaw's `system.run` dispatch-wrapper handling applied different depth-boundary rules to shell-wrapper approval detection and execution planning.
With exactly four transparent dispatch wrappers such as repeated `env` invocations before `/bin/sh -c`, the approval classifier could stop treating the command as a shell wrapper at the depth boundary while execution planning still unwrapped through to the shell payload. In `security=allowlist` mode, that mismatch could skip the expected approval-required path for the shell wrapper invocation.
Latest published npm version: `2026.3.2`
Fixed on `main` on March 7, 2026 in `2fc95a7cfc1eb9306356510b0251b6d51fb1c0b0` by keeping shell-wrapper classification active at the configured dispatch depth boundary and only failing closed beyond that boundary. This aligns approval gating with the execution plan. Legitimate shallow dispatch-wrapper usage continues to work.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `<= 2026.3.2`
- Patched version: `>= 2026.3.7`
## Fix Commit(s)
- `2fc95a7cfc1eb9306356510b0251b6d51fb1c0b0`
## Release Process Note
npm `2026.3.7` was published on March 8, 2026. This advisory is fixed in the released package.
Thanks @tdjackey for reporting.
With exactly four transparent dispatch wrappers such as repeated `env` invocations before `/bin/sh -c`, the approval classifier could stop treating the command as a shell wrapper at the depth boundary while execution planning still unwrapped through to the shell payload. In `security=allowlist` mode, that mismatch could skip the expected approval-required path for the shell wrapper invocation.
Latest published npm version: `2026.3.2`
Fixed on `main` on March 7, 2026 in `2fc95a7cfc1eb9306356510b0251b6d51fb1c0b0` by keeping shell-wrapper classification active at the configured dispatch depth boundary and only failing closed beyond that boundary. This aligns approval gating with the execution plan. Legitimate shallow dispatch-wrapper usage continues to work.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `<= 2026.3.2`
- Patched version: `>= 2026.3.7`
## Fix Commit(s)
- `2fc95a7cfc1eb9306356510b0251b6d51fb1c0b0`
## Release Process Note
npm `2026.3.7` was published on March 8, 2026. This advisory is fixed in the released package.
Thanks @tdjackey for reporting.
ghsa CVSS3.1
5.0
Vulnerability type
CWE-436
CWE-863
Incorrect Authorization
Published: 9 Mar 2026 · Updated: 13 Mar 2026 · First seen: 9 Mar 2026