Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
2.3
OpenClaw macOS Companion App Security Risk: Malicious Code Execution
GHSA-5f9p-f3w2-fwch
Summary
The OpenClaw macOS companion app, currently in beta, has a security risk that could allow malicious code to be executed on a paired macOS host. This is possible if the app's settings are configured in a specific way and an attacker submits a specially crafted command. To protect your system, update the OpenClaw app to the latest version, which is expected to be released soon.
What to do
- Update steipete openclaw to version 2026.2.22.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| steipete | openclaw | <= 2026.2.22 | 2026.2.22 |
Original title
OpenClaw macOS companion app (beta): allowlist parsing mismatch for system.run shell chains
Original description
### Summary
In the macOS companion app (**currently beta**), a parsing mismatch in exec approvals could let shell-chain payloads pass allowlist checks in `system.run` under specific settings.
### Impact
This path requires all of the following:
- authenticated caller with `operator.write`
- paired macOS beta node host
- exec approvals set to `security=allowlist` and `ask=on-miss`
Under those conditions, a shell-chain command could be approved from an incomplete command view and then executed on the paired macOS host.
### Default Install Status
Default installs are not affected.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected: `<= 2026.2.21-2`
- Patched (planned next release): `>= 2026.2.22`
### Technical Details
The fix hardens macOS allowlist resolution by evaluating shell chains per segment and failing closed on unsafe shell-substitution parsing in allowlist mode.
### Product Status Note
The affected macOS companion app path is currently in beta.
### Fix Commit(s)
- `5da03e622119fa012285cdb590fcf4264c965cb5`
- `e371da38aab99521c4e076cd3d95fd775e00b784`
### Release Process Note
`patched_versions` is pre-set to the planned next npm release (`2026.2.22`) so once that version is published, this advisory can be published without additional metadata edits.
OpenClaw thanks @tdjackey for reporting.
In the macOS companion app (**currently beta**), a parsing mismatch in exec approvals could let shell-chain payloads pass allowlist checks in `system.run` under specific settings.
### Impact
This path requires all of the following:
- authenticated caller with `operator.write`
- paired macOS beta node host
- exec approvals set to `security=allowlist` and `ask=on-miss`
Under those conditions, a shell-chain command could be approved from an incomplete command view and then executed on the paired macOS host.
### Default Install Status
Default installs are not affected.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected: `<= 2026.2.21-2`
- Patched (planned next release): `>= 2026.2.22`
### Technical Details
The fix hardens macOS allowlist resolution by evaluating shell chains per segment and failing closed on unsafe shell-substitution parsing in allowlist mode.
### Product Status Note
The affected macOS companion app path is currently in beta.
### Fix Commit(s)
- `5da03e622119fa012285cdb590fcf4264c965cb5`
- `e371da38aab99521c4e076cd3d95fd775e00b784`
### Release Process Note
`patched_versions` is pre-set to the planned next npm release (`2026.2.22`) so once that version is published, this advisory can be published without additional metadata edits.
OpenClaw thanks @tdjackey for reporting.
ghsa CVSS4.0
2.3
Vulnerability type
CWE-184
CWE-285
Improper Authorization
Published: 2 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026