Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
OpenClaw's system.run bypass lets attackers run unauthorized commands
GHSA-9868-vxmx-w862
Summary
OpenClaw's system.run feature can be tricked into running unauthorized commands in certain situations, potentially allowing attackers to execute code that's not approved. This affects OpenClaw versions up to 2026.2.21-2. To stay safe, update to the latest version or temporarily set a security setting to deny unauthorized commands.
What to do
- Update openclaw to version 2026.2.22.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.22 | 2026.2.22 |
Original title
OpenClaw's system.run allowlist bypass via shell line-continuation command substitution
Original description
### Summary
In OpenClaw `system.run` allowlist mode, shell-wrapper analysis could be bypassed by splitting command substitution as `$\\` + newline + `(` inside double quotes. Analysis treated the payload as allowlisted (for example `/bin/echo`), while shell runtime folded the line continuation into `$(...)` and executed non-allowlisted subcommands.
### Affected Packages / Versions
- Package: npm `openclaw`
- Latest published affected version: `2026.2.21-2`
- Affected range: `<=2026.2.21-2`
- Patched version (planned next release): `2026.2.22`
### Impact
In deployments that opt into `tools.exec.security=allowlist` (with `ask=on-miss` or `off`), this can bypass approval boundaries and lead to unintended command execution.
### Fix Commit(s)
- `3f0b9dbb36c86e308267924c0d3d4a4e1fc4d1e9`
### Remediation
- Upgrade to `2026.2.22` (or newer) when published.
- Temporary mitigation: set `tools.exec.ask=always` or `tools.exec.security=deny`.
### Release Process Note
`patched_versions` is pre-set to planned next release `2026.2.22`. After npm release is out, this advisory should be ready for direct publish without additional metadata edits.
OpenClaw thanks @tdjackey for reporting.
In OpenClaw `system.run` allowlist mode, shell-wrapper analysis could be bypassed by splitting command substitution as `$\\` + newline + `(` inside double quotes. Analysis treated the payload as allowlisted (for example `/bin/echo`), while shell runtime folded the line continuation into `$(...)` and executed non-allowlisted subcommands.
### Affected Packages / Versions
- Package: npm `openclaw`
- Latest published affected version: `2026.2.21-2`
- Affected range: `<=2026.2.21-2`
- Patched version (planned next release): `2026.2.22`
### Impact
In deployments that opt into `tools.exec.security=allowlist` (with `ask=on-miss` or `off`), this can bypass approval boundaries and lead to unintended command execution.
### Fix Commit(s)
- `3f0b9dbb36c86e308267924c0d3d4a4e1fc4d1e9`
### Remediation
- Upgrade to `2026.2.22` (or newer) when published.
- Temporary mitigation: set `tools.exec.ask=always` or `tools.exec.security=deny`.
### Release Process Note
`patched_versions` is pre-set to planned next release `2026.2.22`. After npm release is out, this advisory should be ready for direct publish without additional metadata edits.
OpenClaw thanks @tdjackey for reporting.
Vulnerability type
CWE-78
OS Command Injection
CWE-863
Incorrect Authorization
Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026