Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.4
OpenClaw: Windows cmd.exe commands may execute unintended actions
CVE-2026-28391
GHSA-qj77-c3c8-9c3q
GHSA-qj77-c3c8-9c3q
Summary
If you're using OpenClaw on Windows and have enabled exec allowlist/approval gating, a malicious command can trick Windows into running additional actions beyond what's approved. This can happen if a malicious command string uses features like command chaining or variable expansion. To fix this, update OpenClaw to version 2026.2.2 or later.
What to do
- Update steipete openclaw to version 2026.2.2.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| steipete | openclaw | <= 2026.2.2 | 2026.2.2 |
| openclaw | openclaw | <= 2026.2.2 | – |
Original title
OpenClaw's Windows cmd.exe parsing may bypass exec allowlist/approval gating
Original description
### Summary
On Windows nodes, exec requests were executed via `cmd.exe /d /s /c <rawCommand>`. In allowlist/approval-gated mode, the allowlist analysis did not model Windows `cmd.exe` parsing and metacharacter behavior. A crafted command string could cause `cmd.exe` to interpret additional operations (for example command chaining via `&`, or expansion via `%...%` / `!...!`) beyond what was allowlisted/approved.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected: `<= 2026.2.1`
- Patched: `>= 2026.2.2`
- Latest (npm) as of 2026-02-14: `2026.2.13`
### Details
- Default installs: Not affected unless you opt into exec allowlist/approval gating on Windows nodes.
- Windows execution uses `cmd.exe` via `src/infra/node-shell.ts`.
- The fix hardens Windows allowlist enforcement by:
- Passing the platform into allowlist analysis and rejecting Windows shell metacharacters.
- Treating `cmd.exe` invocation as not allowlist-safe on Windows.
- Avoiding `cmd.exe` entirely in allowlist mode by executing the parsed argv directly when possible.
### Fix Commit(s)
- `a7f4a53ce80c98ba1452eb90802d447fca9bf3d6`
Thanks @simecek for reporting.
On Windows nodes, exec requests were executed via `cmd.exe /d /s /c <rawCommand>`. In allowlist/approval-gated mode, the allowlist analysis did not model Windows `cmd.exe` parsing and metacharacter behavior. A crafted command string could cause `cmd.exe` to interpret additional operations (for example command chaining via `&`, or expansion via `%...%` / `!...!`) beyond what was allowlisted/approved.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected: `<= 2026.2.1`
- Patched: `>= 2026.2.2`
- Latest (npm) as of 2026-02-14: `2026.2.13`
### Details
- Default installs: Not affected unless you opt into exec allowlist/approval gating on Windows nodes.
- Windows execution uses `cmd.exe` via `src/infra/node-shell.ts`.
- The fix hardens Windows allowlist enforcement by:
- Passing the platform into allowlist analysis and rejecting Windows shell metacharacters.
- Treating `cmd.exe` invocation as not allowlist-safe on Windows.
- Avoiding `cmd.exe` entirely in allowlist mode by executing the parsed argv directly when possible.
### Fix Commit(s)
- `a7f4a53ce80c98ba1452eb90802d447fca9bf3d6`
Thanks @simecek for reporting.
nvd CVSS3.1
9.8
nvd CVSS4.0
9.2
Vulnerability type
CWE-78
OS Command Injection
- https://github.com/openclaw/openclaw/commit/a7f4a53ce80c98ba1452eb90802d447fca9b...
- https://github.com/openclaw/openclaw/security/advisories/GHSA-qj77-c3c8-9c3q
- https://www.vulncheck.com/advisories/openclaw-command-injection-via-cmdexe-parsi...
- https://github.com/openclaw/openclaw/releases/tag/v2026.2.2
- https://github.com/advisories/GHSA-qj77-c3c8-9c3q
- https://nvd.nist.gov/vuln/detail/CVE-2026-28391
- https://github.com/openclaw/openclaw Product
Published: 17 Feb 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026