Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.1
OpenClaw: Bypassing Security Restrictions Through Wrapper Binaries
GHSA-jj82-76v6-933r
Summary
OpenClaw's security feature was not properly checking for malicious code hidden in wrapper binaries. This means that an attacker could potentially use OpenClaw to run unauthorized commands, even if they are not on the allowed list. To stay secure, update OpenClaw to version 2026.2.22 or later.
What to do
- Update openclaw to version 2026.2.22.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.22 | 2026.2.22 |
Original title
OpenClaw's exec allowlist wrapper analysis did not unwrap env/shell dispatch chains
Original description
### Summary
`system.run` exec allowlist analysis treated wrapper binaries as the effective executable and did not fully unwrap `env`/shell-dispatch wrappers.
This allowed wrapper-smuggled payloads (for example `env bash -lc ...`) to satisfy an allowlist entry for the wrapper while executing non-allowlisted commands.
### Impact
On affected versions, an actor who can trigger `system.run` requests under an allowlist policy could bypass intended allowlist restrictions by routing execution through wrapper binaries.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected: `<= 2026.2.21-2`
- Patched in next release: `2026.2.22` (pre-set below so publish can happen immediately after npm release)
### Fix Commit(s)
- `2b63592be57782c8946e521bc81286933f0f99c7`
### Release Process Note
`patched_versions` is pre-set to the planned next release (`>= 2026.2.22`).
After npm `2026.2.22` is published, this advisory can be published directly without further metadata edits.
OpenClaw thanks @tdjackey for reporting.
`system.run` exec allowlist analysis treated wrapper binaries as the effective executable and did not fully unwrap `env`/shell-dispatch wrappers.
This allowed wrapper-smuggled payloads (for example `env bash -lc ...`) to satisfy an allowlist entry for the wrapper while executing non-allowlisted commands.
### Impact
On affected versions, an actor who can trigger `system.run` requests under an allowlist policy could bypass intended allowlist restrictions by routing execution through wrapper binaries.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected: `<= 2026.2.21-2`
- Patched in next release: `2026.2.22` (pre-set below so publish can happen immediately after npm release)
### Fix Commit(s)
- `2b63592be57782c8946e521bc81286933f0f99c7`
### Release Process Note
`patched_versions` is pre-set to the planned next release (`>= 2026.2.22`).
After npm `2026.2.22` is published, this advisory can be published directly without further metadata edits.
OpenClaw thanks @tdjackey for reporting.
ghsa CVSS4.0
7.1
Vulnerability type
CWE-78
OS Command Injection
CWE-863
Incorrect Authorization
Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026