Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.0
OpenClaw: Shallow Command Wrappers Can Bypass Approval
GHSA-r6qf-8968-wj9q
Summary
OpenClaw's system.run feature in versions up to 2026.3.2 can be tricked into skipping security checks for certain commands. This means that malicious commands may be executed without proper approval in certain situations. Update to OpenClaw version 2026.3.7 or later to fix this issue.
What to do
- Update openclaw to version 2026.3.7.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.3.7 | 2026.3.7 |
Original title
OpenClaw: system.run wrapper-depth boundary could skip shell approval gating
Original description
OpenClaw's `system.run` dispatch-wrapper handling applied different depth-boundary rules to shell-wrapper approval detection and execution planning.
With exactly four transparent dispatch wrappers such as repeated `env` invocations before `/bin/sh -c`, the approval classifier could stop treating the command as a shell wrapper at the depth boundary while execution planning still unwrapped through to the shell payload. In `security=allowlist` mode, that mismatch could skip the expected approval-required path for the shell wrapper invocation.
Latest published npm version: `2026.3.2`
Fixed on `main` on March 7, 2026 in `2fc95a7cfc1eb9306356510b0251b6d51fb1c0b0` by keeping shell-wrapper classification active at the configured dispatch depth boundary and only failing closed beyond that boundary. This aligns approval gating with the execution plan. Legitimate shallow dispatch-wrapper usage continues to work.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `<= 2026.3.2`
- Patched version: `>= 2026.3.7`
## Fix Commit(s)
- `2fc95a7cfc1eb9306356510b0251b6d51fb1c0b0`
## Release Process Note
npm `2026.3.7` was published on March 8, 2026. This advisory is fixed in the released package.
Thanks @tdjackey for reporting.
With exactly four transparent dispatch wrappers such as repeated `env` invocations before `/bin/sh -c`, the approval classifier could stop treating the command as a shell wrapper at the depth boundary while execution planning still unwrapped through to the shell payload. In `security=allowlist` mode, that mismatch could skip the expected approval-required path for the shell wrapper invocation.
Latest published npm version: `2026.3.2`
Fixed on `main` on March 7, 2026 in `2fc95a7cfc1eb9306356510b0251b6d51fb1c0b0` by keeping shell-wrapper classification active at the configured dispatch depth boundary and only failing closed beyond that boundary. This aligns approval gating with the execution plan. Legitimate shallow dispatch-wrapper usage continues to work.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `<= 2026.3.2`
- Patched version: `>= 2026.3.7`
## Fix Commit(s)
- `2fc95a7cfc1eb9306356510b0251b6d51fb1c0b0`
## Release Process Note
npm `2026.3.7` was published on March 8, 2026. This advisory is fixed in the released package.
Thanks @tdjackey for reporting.
osv CVSS3.1
5.0
Vulnerability type
CWE-436
CWE-863
Incorrect Authorization
Published: 9 Mar 2026 · Updated: 13 Mar 2026 · First seen: 9 Mar 2026