Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.7
OpenClaw Allows Malicious Commands via Env Wrapper
GHSA-796m-2973-wc5q
Summary
A vulnerability in OpenClaw allows an attacker to execute unexpected commands by manipulating the environment. This could happen if an attacker can influence the command text, for example, through a prompt or content injection. To fix this, the developers have released a new version of OpenClaw, version 2026.2.23, which enforces a stricter policy to prevent this kind of attack. You should update to the latest version to protect your system.
What to do
- Update openclaw to version 2026.2.23.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.23 | 2026.2.23 |
Original title
OpenClaw has exec allowlist/safeBins policy-runtime mismatch via env -S wrapper interpretation
Original description
### Summary
`tools.exec` allowlist/safe-bins evaluation could diverge from runtime execution for wrapper commands using GNU `env -S/--split-string` semantics. This allowed policy checks to treat a command as a benign safe-bin invocation while runtime executed a different payload.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Vulnerable versions: `<= 2026.2.22-2` (latest currently published npm version)
- Patched version (released): `2026.2.23`
### Impact
An attacker able to influence tool command text (for example via untrusted prompt/content injection reaching an exec-capable flow) could bypass allowlist/safe-bins intent and execute unexpected commands.
### Technical Details
Root cause was policy/runtime interpretation mismatch for dispatch wrappers:
- analysis resolved an effective executable from wrapper-unwrapped argv,
- execution could still run original wrapper argv semantics,
- safe-bin short-flag handling also allowed unknown short options in clusters.
### Remediation
The fix hardens exec approvals to fail closed and enforce analysis/runtime parity:
- introduce wrapper execution planning with semantic-wrapper blocking,
- carry planned `effectiveArgv` + `policyBlocked` metadata through resolution,
- evaluate allowlist/safe-bins against planned argv,
- enforce canonical rebuilt shell command from planned argv for allowlist auto-paths,
- use planned argv for node-host/mac exec-host invocation paths,
- reject unknown short safe-bin flags,
- add regression tests for semantic `env` wrappers and parity fixtures.
### Fix Commit(s)
- `a1c4bf07c6baad3ef87a0e710fe9aef127b1f606`
### Release Process Note
`patched_versions` is pre-set to the released version (`2026.2.23`). Patched in `2026.2.23` and published.
OpenClaw thanks @jiseoung for reporting.
`tools.exec` allowlist/safe-bins evaluation could diverge from runtime execution for wrapper commands using GNU `env -S/--split-string` semantics. This allowed policy checks to treat a command as a benign safe-bin invocation while runtime executed a different payload.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Vulnerable versions: `<= 2026.2.22-2` (latest currently published npm version)
- Patched version (released): `2026.2.23`
### Impact
An attacker able to influence tool command text (for example via untrusted prompt/content injection reaching an exec-capable flow) could bypass allowlist/safe-bins intent and execute unexpected commands.
### Technical Details
Root cause was policy/runtime interpretation mismatch for dispatch wrappers:
- analysis resolved an effective executable from wrapper-unwrapped argv,
- execution could still run original wrapper argv semantics,
- safe-bin short-flag handling also allowed unknown short options in clusters.
### Remediation
The fix hardens exec approvals to fail closed and enforce analysis/runtime parity:
- introduce wrapper execution planning with semantic-wrapper blocking,
- carry planned `effectiveArgv` + `policyBlocked` metadata through resolution,
- evaluate allowlist/safe-bins against planned argv,
- enforce canonical rebuilt shell command from planned argv for allowlist auto-paths,
- use planned argv for node-host/mac exec-host invocation paths,
- reject unknown short safe-bin flags,
- add regression tests for semantic `env` wrappers and parity fixtures.
### Fix Commit(s)
- `a1c4bf07c6baad3ef87a0e710fe9aef127b1f606`
### Release Process Note
`patched_versions` is pre-set to the released version (`2026.2.23`). Patched in `2026.2.23` and published.
OpenClaw thanks @jiseoung for reporting.
ghsa CVSS4.0
5.7
Vulnerability type
CWE-436
Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026