Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
2.3
OpenClaw's tools.exec.safeBins Allows Unauthorized Execution of Interpreter Binaries
GHSA-8mf7-vv8w-hjr2
Summary
A weakness in OpenClaw's tools.exec.safeBins feature allows malicious code to be executed if certain binaries are not properly configured. This is a concern for non-standard or misconfigured OpenClaw deployments. To address this, OpenClaw's developers are updating the software to require explicit configuration for certain binaries and adding a new option for custom safe binaries.
What to do
- Update openclaw to version 2026.2.22.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.22 | 2026.2.22 |
Original title
OpenClaw's tools.exec.safeBins generic fallback allowed interpreter-style inline payload execution in allowlist mode
Original description
### Summary
When `tools.exec.safeBins` contained a binary without an explicit safe-bin profile, OpenClaw used a permissive generic fallback profile. In allowlist mode, that could let interpreter-style binaries (for example `python3`, `node`, `ruby`) execute inline payloads via flags like `-c`.
This requires explicit operator configuration to add such binaries to `safeBins`, so impact is limited to non-default/misconfigured deployments.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `<= 2026.2.21-2`
- Patched in code: `>= 2026.2.22` (planned next npm release)
### Fix
- Remove generic safe-bin fallback during allowlist evaluation.
- Require explicit safe-bin profiles for `safeBins` entries.
- Add configurable `tools.exec.safeBinProfiles` (global + per-agent) for safe custom binaries.
- Update docs to clearly separate `safeBins` from command allowlist semantics.
### Fix Commit(s)
- `47c3f742b6c488be26dd7b9636dbbb8676089154`
### Release Process Note
`patched_versions` is pre-set to the planned next release (`>= 2026.2.22`) so once that npm release is published, the advisory can be published directly without further metadata edits.
OpenClaw thanks @tdjackey for reporting.
When `tools.exec.safeBins` contained a binary without an explicit safe-bin profile, OpenClaw used a permissive generic fallback profile. In allowlist mode, that could let interpreter-style binaries (for example `python3`, `node`, `ruby`) execute inline payloads via flags like `-c`.
This requires explicit operator configuration to add such binaries to `safeBins`, so impact is limited to non-default/misconfigured deployments.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `<= 2026.2.21-2`
- Patched in code: `>= 2026.2.22` (planned next npm release)
### Fix
- Remove generic safe-bin fallback during allowlist evaluation.
- Require explicit safe-bin profiles for `safeBins` entries.
- Add configurable `tools.exec.safeBinProfiles` (global + per-agent) for safe custom binaries.
- Update docs to clearly separate `safeBins` from command allowlist semantics.
### Fix Commit(s)
- `47c3f742b6c488be26dd7b9636dbbb8676089154`
### Release Process Note
`patched_versions` is pre-set to the planned next release (`>= 2026.2.22`) so once that npm release is published, the advisory can be published directly without further metadata edits.
OpenClaw thanks @tdjackey for reporting.
ghsa CVSS4.0
2.3
Vulnerability type
CWE-78
OS Command Injection
CWE-693
Protection Mechanism Failure
Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026