Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
OpenClaw has allowlist exec-guard bypass via env -S
GHSA-48wf-g7cp-gr3m
Summary
### Summary
In `allowlist` mode, `system.run` guardrails could be bypassed through `env -S`, causing policy-analysis/runtime-execution mismatch for shell wrapper payloads.
### Severity Rationale (Medium)
This issue is rated **medium** because it is a guardrail/policy bypass in OpenClaw's trusted-op...
What to do
- Update steipete openclaw to version 2026.2.23.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| steipete | openclaw | <= 2026.2.23 | 2026.2.23 |
Original title
OpenClaw has allowlist exec-guard bypass via env -S
Original description
### Summary
In `allowlist` mode, `system.run` guardrails could be bypassed through `env -S`, causing policy-analysis/runtime-execution mismatch for shell wrapper payloads.
### Severity Rationale (Medium)
This issue is rated **medium** because it is a guardrail/policy bypass in OpenClaw's trusted-operator model, not an authentication boundary break.
- Authenticated Gateway callers are trusted operators by design.
- `exec` approvals/allowlists are operator safety controls.
- The bug still weakens expected safety behavior and can enable unintended command execution when untrusted content influences tool input.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Vulnerable versions: `<= 2026.2.22-2`
- Patched versions: `>= 2026.2.23`
Latest published npm version checked during triage: `2026.2.22-2`.
### Technical Impact
When `/usr/bin/env` is allowlisted, `env -S 'sh -c ...'` could be treated as allowed non-wrapper argv while runtime still executes shell-wrapper semantics.
### Fix Commit(s)
- `a1c4bf07c6baad3ef87a0e710fe9aef127b1f606` (core allowlist/runtime parity hardening)
- `3f923e831364d83d0f23499ee49961de334cf58b` (explicit `env -S` regressions)
### Release Process Note
`patched_versions` is pre-set to `>= 2026.2.23`, so this advisory is now public.
OpenClaw thanks @tdjackey for reporting.
In `allowlist` mode, `system.run` guardrails could be bypassed through `env -S`, causing policy-analysis/runtime-execution mismatch for shell wrapper payloads.
### Severity Rationale (Medium)
This issue is rated **medium** because it is a guardrail/policy bypass in OpenClaw's trusted-operator model, not an authentication boundary break.
- Authenticated Gateway callers are trusted operators by design.
- `exec` approvals/allowlists are operator safety controls.
- The bug still weakens expected safety behavior and can enable unintended command execution when untrusted content influences tool input.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Vulnerable versions: `<= 2026.2.22-2`
- Patched versions: `>= 2026.2.23`
Latest published npm version checked during triage: `2026.2.22-2`.
### Technical Impact
When `/usr/bin/env` is allowlisted, `env -S 'sh -c ...'` could be treated as allowed non-wrapper argv while runtime still executes shell-wrapper semantics.
### Fix Commit(s)
- `a1c4bf07c6baad3ef87a0e710fe9aef127b1f606` (core allowlist/runtime parity hardening)
- `3f923e831364d83d0f23499ee49961de334cf58b` (explicit `env -S` regressions)
### Release Process Note
`patched_versions` is pre-set to `>= 2026.2.23`, so this advisory is now public.
OpenClaw thanks @tdjackey for reporting.
ghsa CVSS4.0
5.3
Vulnerability type
CWE-184
CWE-193
Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026