Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.1
OpenClaw for macOS allows unauthorized execution of local files
GHSA-7f4q-9rqh-x36p
Summary
OpenClaw on macOS can allow a malicious local file with the same name as a trusted program to be executed without permission. This affects versions of OpenClaw before 2026.2.22. To fix, update to the latest version of OpenClaw, which will prevent this from happening. If you're running the latest version, you're already safe.
What to do
- Update openclaw to version 2026.2.22.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.22 | 2026.2.22 |
Original title
OpenClaw: macOS optional allowlist basename matching could bypass path-based policy
Original description
### Summary
On macOS node-host, optional exec-approval allowlist mode previously treated basename-only entries (for example `echo`) as trusted command matches.
This could allow a same-name local binary (for example `./echo`) to run without approval under `security=allowlist` + `ask=on-miss`.
### Scope / Preconditions
- macOS node-host path.
- Optional exec approvals feature enabled with `security=allowlist`.
- Basename-only allowlist entries configured.
Default install posture is not impacted: `security=deny` by default.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version at triage time: `2026.2.21-2`
- Vulnerable range: `<=2026.2.21-2`
- Planned patched version (next release): `>= 2026.2.22`
### Remediation
- Enforced path-only allowlist matching on macOS node-host (basename fallback removed).
- Added migration for legacy basename allowlist entries to last-resolved paths when available.
- UI/store validation now rejects non-path allowlist patterns.
### Fix Commit(s)
- dd41fadcaf58fd9deb963d6e163c56161e7b35dd
### Release Process Note
Patched version is pre-set for the planned next release (`2026.2.22`). Once that npm release is out, advisory can be published without further field edits.
OpenClaw thanks @tdjackey for reporting.
On macOS node-host, optional exec-approval allowlist mode previously treated basename-only entries (for example `echo`) as trusted command matches.
This could allow a same-name local binary (for example `./echo`) to run without approval under `security=allowlist` + `ask=on-miss`.
### Scope / Preconditions
- macOS node-host path.
- Optional exec approvals feature enabled with `security=allowlist`.
- Basename-only allowlist entries configured.
Default install posture is not impacted: `security=deny` by default.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version at triage time: `2026.2.21-2`
- Vulnerable range: `<=2026.2.21-2`
- Planned patched version (next release): `>= 2026.2.22`
### Remediation
- Enforced path-only allowlist matching on macOS node-host (basename fallback removed).
- Added migration for legacy basename allowlist entries to last-resolved paths when available.
- UI/store validation now rejects non-path allowlist patterns.
### Fix Commit(s)
- dd41fadcaf58fd9deb963d6e163c56161e7b35dd
### Release Process Note
Patched version is pre-set for the planned next release (`2026.2.22`). Once that npm release is out, advisory can be published without further field edits.
OpenClaw thanks @tdjackey for reporting.
ghsa CVSS4.0
5.1
Vulnerability type
CWE-863
Incorrect Authorization
Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026