Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.9
OpenClaw's shell-execution bypass in allowlist mode
GHSA-ccg8-46r6-9qgj
Summary
A bug in OpenClaw allows attackers to bypass approval prompts for executing shell commands, potentially allowing malicious code to run without permission. This affects users of OpenClaw's `system.run` feature in allowlist mode. To protect your system, update to the latest version of OpenClaw, at least 2026.2.24.
What to do
- Update openclaw to version 2026.2.24.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.23 | 2026.2.24 |
Original title
OpenClaw's dispatch-wrapper depth-cap mismatch can bypass shell-wrapper approval gating in system.run allowlist mode
Original description
### Summary
A wrapper-depth parsing mismatch in `system.run` allowed nested transparent dispatch wrappers (for example repeated `/usr/bin/env`) to suppress shell-wrapper detection while still matching allowlist resolution. In `security=allowlist` + `ask=on-miss`, this could bypass the expected approval prompt for shell execution.
### Severity / Trust Model
OpenClaw’s documented model treats authenticated gateway callers as trusted operators and exec approvals as operator guardrails. This issue is still a real approval-boundary bypass and is triaged as **Medium** in that model.
### Technical Details
- Dispatch-wrapper unwrapping stopped at `MAX_DISPATCH_WRAPPER_DEPTH`.
- Shell-wrapper extraction could return non-wrapper once depth was exhausted.
- Allowlist resolution could still succeed on partially unwrapped argv beginning with `/usr/bin/env`.
- Result: nested wrapper chains could execute `/bin/sh -c ...` without fresh approval in `allowlist` + `ask=on-miss`.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published version at triage time: `2026.2.23`
- Vulnerable versions: `<= 2026.2.23`
- Patched versions (planned next release): `>= 2026.2.24`
### Fix Commit(s)
- `57c9a18180c8b14885bbd95474cbb17ff2d03f0b`
### Verification
- Added regression coverage for depth-overflow wrapper chains at resolution and `system.run` invocation layers.
- Reproduced previous PoC behavior before fix, then confirmed denial after fix with `SYSTEM_RUN_DENIED: approval required`.
### Release Process Note
`patched_versions` is pre-set to the planned next release (`2026.2.24`) so once npm publish is complete, advisory publication can proceed without additional version edits.
OpenClaw thanks @tdjackey for reporting.
### Publication Update (2026-02-25)
`[email protected]` is published on npm and contains the fix commit(s) listed above. This advisory now marks `>= 2026.2.24` as patched.
A wrapper-depth parsing mismatch in `system.run` allowed nested transparent dispatch wrappers (for example repeated `/usr/bin/env`) to suppress shell-wrapper detection while still matching allowlist resolution. In `security=allowlist` + `ask=on-miss`, this could bypass the expected approval prompt for shell execution.
### Severity / Trust Model
OpenClaw’s documented model treats authenticated gateway callers as trusted operators and exec approvals as operator guardrails. This issue is still a real approval-boundary bypass and is triaged as **Medium** in that model.
### Technical Details
- Dispatch-wrapper unwrapping stopped at `MAX_DISPATCH_WRAPPER_DEPTH`.
- Shell-wrapper extraction could return non-wrapper once depth was exhausted.
- Allowlist resolution could still succeed on partially unwrapped argv beginning with `/usr/bin/env`.
- Result: nested wrapper chains could execute `/bin/sh -c ...` without fresh approval in `allowlist` + `ask=on-miss`.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published version at triage time: `2026.2.23`
- Vulnerable versions: `<= 2026.2.23`
- Patched versions (planned next release): `>= 2026.2.24`
### Fix Commit(s)
- `57c9a18180c8b14885bbd95474cbb17ff2d03f0b`
### Verification
- Added regression coverage for depth-overflow wrapper chains at resolution and `system.run` invocation layers.
- Reproduced previous PoC behavior before fix, then confirmed denial after fix with `SYSTEM_RUN_DENIED: approval required`.
### Release Process Note
`patched_versions` is pre-set to the planned next release (`2026.2.24`) so once npm publish is complete, advisory publication can proceed without additional version edits.
OpenClaw thanks @tdjackey for reporting.
### Publication Update (2026-02-25)
`[email protected]` is published on npm and contains the fix commit(s) listed above. This advisory now marks `>= 2026.2.24` as patched.
ghsa CVSS4.0
6.9
Vulnerability type
CWE-284
Improper Access Control
CWE-863
Incorrect Authorization
Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026