Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.1
OpenClaw: External Code Can Run Without Approval
GHSA-vmqr-rc7x-3446
CVE-2026-22169
Summary
A security flaw in OpenClaw's non-default settings allows external code to be executed without proper approval. This could lead to unauthorized actions being taken on your system. Update to the latest version of OpenClaw as soon as it's available to fix this issue.
What to do
- Update steipete openclaw to version 2026.2.22.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| steipete | openclaw | <= 2026.2.22 | 2026.2.22 |
Original title
OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in the safeBins configuration that allows attackers to invoke external helpers through the compress-program option. Wh...
Original description
OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in the safeBins configuration that allows attackers to invoke external helpers through the compress-program option. When sort is explicitly added to tools.exec.safeBins, remote attackers can bypass intended safe-bin approval constraints by leveraging the compress-program parameter to execute unauthorized external programs.
osv CVSS3.1
6.4
Vulnerability type
CWE-15
CWE-78
OS Command Injection
Published: 18 Mar 2026 · Updated: 18 Mar 2026 · First seen: 18 Mar 2026