Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.9
OpenClaw Allows Execution of Unauthorized Code Through Shell Wrappers
GHSA-gwqp-86q6-w47g
Summary
A security issue in OpenClaw could allow unauthorized code to be executed, even if you've restricted certain actions. This happens because OpenClaw doesn't properly check some types of shell wrappers. To fix this, the OpenClaw developers have updated the software to better detect and handle these wrappers. If you're using OpenClaw, update to the latest version to ensure you have the fix.
What to do
- Update openclaw to version 2026.2.23.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.23 | 2026.2.23 |
Original title
OpenClaw's exec allow-always can be bypassed via unrecognized multiplexer shell wrappers (busybox/toybox sh -c)
Original description
### Summary
OpenClaw exec approvals could be bypassed in `allowlist` mode when `allow-always` was granted through unrecognized multiplexer shell wrappers (notably `busybox sh -c` and `toybox sh -c`).
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected: `<= 2026.2.22-2`
- Latest published vulnerable version at triage time: `2026.2.22-2` (checked on February 24, 2026)
- Fixed on `main`: yes
- Patched release: `2026.2.23`
### Details
Wrapper analysis treated `busybox`/`toybox` invocations as non-wrapper commands in this path, so `allow-always` persisted the wrapper binary path instead of the inner executable. That allowed later arbitrary payloads under the same multiplexer wrapper to satisfy the stored allowlist rule.
The fix hardens wrapper detection and persistence behavior for these multiplexer shell applets so approvals bind to intended inner executables and fail closed when unwrap safety is uncertain.
### Fix Commit(s)
- `a67689a7e3ad494b6637c76235a664322d526f9e`
### Release Process Note
`patched_versions` is pre-set to the released version (`2026.2.23`). This advisory now reflects released fix version `2026.2.23`.
OpenClaw thanks @jiseoung for reporting.
OpenClaw exec approvals could be bypassed in `allowlist` mode when `allow-always` was granted through unrecognized multiplexer shell wrappers (notably `busybox sh -c` and `toybox sh -c`).
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected: `<= 2026.2.22-2`
- Latest published vulnerable version at triage time: `2026.2.22-2` (checked on February 24, 2026)
- Fixed on `main`: yes
- Patched release: `2026.2.23`
### Details
Wrapper analysis treated `busybox`/`toybox` invocations as non-wrapper commands in this path, so `allow-always` persisted the wrapper binary path instead of the inner executable. That allowed later arbitrary payloads under the same multiplexer wrapper to satisfy the stored allowlist rule.
The fix hardens wrapper detection and persistence behavior for these multiplexer shell applets so approvals bind to intended inner executables and fail closed when unwrap safety is uncertain.
### Fix Commit(s)
- `a67689a7e3ad494b6637c76235a664322d526f9e`
### Release Process Note
`patched_versions` is pre-set to the released version (`2026.2.23`). This advisory now reflects released fix version `2026.2.23`.
OpenClaw thanks @jiseoung for reporting.
ghsa CVSS4.0
6.9
Vulnerability type
CWE-184
Published: 2 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026