In allowlist mode, system.run guardrails could be bypassed through env -S, causing policy-analysis/runtime-execution mismatch for shell wrapper payloads.
This issue is rated medium because it is a guardrail/policy bypass in OpenClaw's trusted-operator model, not an authentication boundary break.
exec approvals/allowlists are operator safety controls.openclaw (npm)<= 2026.2.22-2>= 2026.2.23Latest published npm version checked during triage: 2026.2.22-2.
When /usr/bin/env is allowlisted, env -S 'sh -c ...' could be treated as allowed non-wrapper argv while runtime still executes shell-wrapper semantics.
a1c4bf07c6baad3ef87a0e710fe9aef127b1f606 (core allowlist/runtime parity hardening)3f923e831364d83d0f23499ee49961de334cf58b (explicit env -S regressions)patched_versions is pre-set to >= 2026.2.23, so this advisory is now public.
OpenClaw thanks @tdjackey for reporting.
| Score | Percentile |
|---|---|
| 0.07% | 21.61% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 5.3 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-48wf-g7cp-gr3m ↗ |
| CVE | CVE-2026-31992 ↗ |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| npm | openclaw | < 2026.2.23 | 2026.2.23 | — |