Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.0
OpenClaw's system.run fails to block PowerShell encoded commands
GHSA-3h2q-j2v4-6w5r
Summary
Using OpenClaw's system.run with PowerShell's -EncodedCommand could bypass approval checks, allowing malicious code to run without review. This issue has been fixed in versions 2026.3.7 and later. Upgrade to the latest version of OpenClaw to ensure approval checks work as intended.
What to do
- Update openclaw to version 2026.3.7.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.3.2 | 2026.3.7 |
Original title
OpenClaw's system.run allowlist approval parsing missed PowerShell encoded-command wrappers
Original description
OpenClaw's `system.run` shell-wrapper detection did not recognize PowerShell `-EncodedCommand` forms as inline-command wrappers.
In `allowlist` mode, a caller with access to `system.run` could invoke `pwsh` or `powershell` using `-EncodedCommand`, `-enc`, or `-e`, and the request would fall back to plain argv analysis instead of the normal shell-wrapper approval path. This could allow a PowerShell inline payload to execute without the approval step that equivalent `-Command` invocations would require.
Latest published npm version: `2026.3.2`
Fixed on `main` on March 7, 2026 in `1d1757b16f48f1a93cd16ab0ad7e2c3c63ce727d` by recognizing PowerShell encoded-command aliases during shell-wrapper parsing, so allowlist mode continues to require approval for those payloads. Normal approved PowerShell wrapper flows continue to work.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `<= 2026.3.2`
- Patched version: `>= 2026.3.7`
## Fix Commit(s)
- `1d1757b16f48f1a93cd16ab0ad7e2c3c63ce727d`
## Release Process Note
npm `2026.3.7` was published on March 8, 2026. This advisory is fixed in the released package.
Thanks @tdjackey for reporting.
In `allowlist` mode, a caller with access to `system.run` could invoke `pwsh` or `powershell` using `-EncodedCommand`, `-enc`, or `-e`, and the request would fall back to plain argv analysis instead of the normal shell-wrapper approval path. This could allow a PowerShell inline payload to execute without the approval step that equivalent `-Command` invocations would require.
Latest published npm version: `2026.3.2`
Fixed on `main` on March 7, 2026 in `1d1757b16f48f1a93cd16ab0ad7e2c3c63ce727d` by recognizing PowerShell encoded-command aliases during shell-wrapper parsing, so allowlist mode continues to require approval for those payloads. Normal approved PowerShell wrapper flows continue to work.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `<= 2026.3.2`
- Patched version: `>= 2026.3.7`
## Fix Commit(s)
- `1d1757b16f48f1a93cd16ab0ad7e2c3c63ce727d`
## Release Process Note
npm `2026.3.7` was published on March 8, 2026. This advisory is fixed in the released package.
Thanks @tdjackey for reporting.
ghsa CVSS3.1
5.0
Vulnerability type
CWE-184
CWE-863
Incorrect Authorization
Published: 9 Mar 2026 · Updated: 13 Mar 2026 · First seen: 9 Mar 2026