In OpenClaw system.run allowlist mode, shell-wrapper analysis could be bypassed by splitting command substitution as $\\ + newline + ( inside double quotes. Analysis treated the payload as allowlisted (for example /bin/echo), while shell runtime folded the line continuation into $(...) and executed non-allowlisted subcommands.
openclaw2026.2.21-2<=2026.2.21-22026.2.22In deployments that opt into tools.exec.security=allowlist (with ask=on-miss or off), this can bypass approval boundaries and lead to unintended command execution.
3f0b9dbb36c86e308267924c0d3d4a4e1fc4d1e92026.2.22 (or newer) when published.tools.exec.ask=always or tools.exec.security=deny.patched_versions is pre-set to planned next release 2026.2.22. After npm release is out, this advisory should be ready for direct publish without additional metadata edits.
OpenClaw thanks @tdjackey for reporting.
| Score | Percentile |
|---|---|
| 0.02% | 5.25% |
No CVSS scores in this advisory.
| Type | Value |
|---|---|
| GHSA | GHSA-9868-vxmx-w862 ↗ |
| CVE | CVE-2026-28460 ↗ |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| npm | openclaw | < 2026.2.22 | 2026.2.22 | — |