Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.4
OpenClaw allows attackers to bypass approval and run malicious commands
GHSA-6j27-pc5c-m8w8
Summary
A bug in OpenClaw's approval system could allow attackers to run commands without permission. This could happen if a legitimate approval was given to a command that included a specific wrapper. To fix this, update to the latest version of OpenClaw (2026.2.22) or change the security settings to 'deny' all commands until the update is applied.
What to do
- Update openclaw to version 2026.2.22.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.22 | 2026.2.22 |
Original title
OpenClaw's allow-always wrapper persistence could bypass future approvals and enable command execution
Original description
### Summary
In `openclaw` npm releases up to and including `2026.2.21-2`, approving wrapped `system.run` commands with `allow-always` in `security=allowlist` mode could persist wrapper-level allowlist entries and enable later approval-bypass execution of different inner payloads.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `<= 2026.2.21-2`
- Planned patched version: `2026.2.22`
### Details
`allow-always` persistence was based on wrapper-level resolution instead of stable inner executable intent. A benign approved wrapper invocation could therefore broaden future trust boundaries.
Affected paths included gateway and node-host execution approval persistence flows. The fix now persists inner executable paths for known dispatch-wrapper chains (`env`, `nice`, `nohup`, `stdbuf`, `timeout`) and fails closed when safe unwrapping cannot be derived.
### Impact
Authorization boundary bypass in allowlist mode, potentially leading to approval-free command execution (RCE class) on subsequent wrapped invocations.
### Mitigation
Upgrade to `2026.2.22` (planned next release) or run with stricter exec policy (`ask=always` / `security=deny`) until upgraded.
### Fix Commit(s)
- `24c954d972400f508814532dea0e4dcb38418bb0`
### Release Process Note
`patched_versions` is pre-set to `2026.2.22` so this advisory is publish-ready; publish after the npm release is live.
OpenClaw thanks @tdjackey for reporting.
In `openclaw` npm releases up to and including `2026.2.21-2`, approving wrapped `system.run` commands with `allow-always` in `security=allowlist` mode could persist wrapper-level allowlist entries and enable later approval-bypass execution of different inner payloads.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `<= 2026.2.21-2`
- Planned patched version: `2026.2.22`
### Details
`allow-always` persistence was based on wrapper-level resolution instead of stable inner executable intent. A benign approved wrapper invocation could therefore broaden future trust boundaries.
Affected paths included gateway and node-host execution approval persistence flows. The fix now persists inner executable paths for known dispatch-wrapper chains (`env`, `nice`, `nohup`, `stdbuf`, `timeout`) and fails closed when safe unwrapping cannot be derived.
### Impact
Authorization boundary bypass in allowlist mode, potentially leading to approval-free command execution (RCE class) on subsequent wrapped invocations.
### Mitigation
Upgrade to `2026.2.22` (planned next release) or run with stricter exec policy (`ask=always` / `security=deny`) until upgraded.
### Fix Commit(s)
- `24c954d972400f508814532dea0e4dcb38418bb0`
### Release Process Note
`patched_versions` is pre-set to `2026.2.22` so this advisory is publish-ready; publish after the npm release is live.
OpenClaw thanks @tdjackey for reporting.
ghsa CVSS3.1
6.4
Vulnerability type
CWE-78
OS Command Injection
CWE-863
Incorrect Authorization
Published: 2 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026