Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.9
OpenClaw plugin execution can run system commands with same privileges
GHSA-ff98-w8hj-qrxf
Summary
OpenClaw plugins can execute system commands with the same level of access as the main application. This means that if a malicious plugin is installed, it could potentially run system commands that it shouldn't be able to. To stay safe, only install trusted plugins and use the `plugins.allow` feature to pin specific trusted plugin IDs.
What to do
- Update openclaw to version 2026.2.19.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.19 | 2026.2.19 |
Original title
OpenClaw plugin runtime command execution is part of trusted plugin boundary
Original description
### Summary
OpenClaw plugins/extensions run in-process and are treated as trusted code. This advisory tracks trust-boundary clarification around plugin runtime command execution (`runtime.system.runCommandWithTimeout`).
### Impact
Plugins already execute with the same OS privileges as the OpenClaw process. Exposing runtime command helpers does not cross an additional sandbox boundary.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published version reviewed: `2026.2.17`
- Affected range for this advisory record: `<= 2026.2.17`
- Planned patched version metadata: `2026.2.19` (next release line)
### Fix Commit(s)
- `2e421f32dfc589c02706265fd3c3137ffc06c4b1`
### Remediation
- Install only trusted plugins.
- Use `plugins.allow` to pin explicit trusted plugin IDs.
- SECURITY.md now explicitly documents that plugin runtime helpers are convenience APIs, not a sandbox boundary.
OpenClaw thanks @markmusson for reporting.
OpenClaw plugins/extensions run in-process and are treated as trusted code. This advisory tracks trust-boundary clarification around plugin runtime command execution (`runtime.system.runCommandWithTimeout`).
### Impact
Plugins already execute with the same OS privileges as the OpenClaw process. Exposing runtime command helpers does not cross an additional sandbox boundary.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published version reviewed: `2026.2.17`
- Affected range for this advisory record: `<= 2026.2.17`
- Planned patched version metadata: `2026.2.19` (next release line)
### Fix Commit(s)
- `2e421f32dfc589c02706265fd3c3137ffc06c4b1`
### Remediation
- Install only trusted plugins.
- Use `plugins.allow` to pin explicit trusted plugin IDs.
- SECURITY.md now explicitly documents that plugin runtime helpers are convenience APIs, not a sandbox boundary.
OpenClaw thanks @markmusson for reporting.
ghsa CVSS4.0
6.9
Vulnerability type
CWE-78
OS Command Injection
Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026