OpenClaw exec approvals: safeBins could bypass stdin-only constraints via shell expansion

Description

Summary

OpenClaw's exec-approvals allowlist supports a small set of "safe bins" intended to be stdin-only (no positional file arguments) when running tools.exec.host=gateway|node with security=allowlist.

In affected configurations, the allowlist validation checked pre-expansion argv tokens, but execution used a real shell (sh -c) which expands globs and environment variables. This allowed safe bins like head, tail, or grep to read arbitrary local files via tokens such as * or $HOME/... without triggering approvals.

This issue is configuration-dependent and is not exercised by default settings (default tools.exec.host is sandbox).

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected: <= 2026.2.13
  • Patched: >= 2026.2.14 (planned; publish the advisory after the npm release is out)

Impact

An authorized but untrusted caller (or prompt-injection) could cause the gateway/node process to disclose files readable by that process when host execution is enabled in allowlist mode.

Fix

Safe-bins executions now force argv tokens to be treated as literal text at execution time (single-quoted), preventing globbing and $VARS expansion from turning "safe" tokens into file paths.

Fix Commit(s)

  • 77b89719d5b7e271f48b6f49e334a8b991468c3b

Release Process Note

patched_versions is pre-set for the next planned release (>= 2026.2.14) so publishing is a single click once that npm version is available.

Thanks @christos-eth for reporting.

Basic information

Type
reviewed
Severity
high
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-02-18 00:50:47 UTC
Updated
2026-03-06 01:02:55 UTC
GitHub reviewed
2026-02-18 00:50:47 UTC
NVD published
2026-03-05

EPSS Score

Score Percentile
0.02% 5.42%

CVSS Scores

Base score Version Severity Vector
5.7 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:R)
A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:N)
Service keeps running; no real outage angle.
8.6 4.0
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Click to expand
Attack vector (AV:L)
Attacker needs local access on the target system.
Attack complexity (AC:L)
Exploitation conditions are straightforward and stable.
Attack requirements (AT:N)
No additional preconditions are required beyond normal reachability.
Privileges required (PR:N)
No privileges are required.
User interaction (UI:N)
No user interaction is required.
Vulnerable system confidentiality impact (VC:H)
High confidentiality impact on the vulnerable system.
Vulnerable system integrity impact (VI:H)
High integrity impact on the vulnerable system.
Vulnerable system availability impact (VA:H)
High availability impact on the vulnerable system.
Subsequent system confidentiality impact (SC:N)
No confidentiality impact on subsequent systems.
Subsequent system integrity impact (SI:N)
No integrity impact on subsequent systems.
Subsequent system availability impact (SA:N)
No availability impact on subsequent systems.

Identifiers

CWEs

CWE id Name
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Credits

  • christos-eth (reporter)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
npm openclaw < 2026.2.14 2026.2.14

References

cvelogic Threat Intelligence