OpenClaw's system.run allowlist bypass via shell line-continuation command substitution

説明

Summary

In OpenClaw system.run allowlist mode, shell-wrapper analysis could be bypassed by splitting command substitution as $\\ + newline + ( inside double quotes. Analysis treated the payload as allowlisted (for example /bin/echo), while shell runtime folded the line continuation into $(...) and executed non-allowlisted subcommands.

Affected Packages / Versions

  • Package: npm openclaw
  • Latest published affected version: 2026.2.21-2
  • Affected range: <=2026.2.21-2
  • Patched version (planned next release): 2026.2.22

Impact

In deployments that opt into tools.exec.security=allowlist (with ask=on-miss or off), this can bypass approval boundaries and lead to unintended command execution.

Fix Commit(s)

  • 3f0b9dbb36c86e308267924c0d3d4a4e1fc4d1e9

Remediation

  • Upgrade to 2026.2.22 (or newer) when published.
  • Temporary mitigation: set tools.exec.ask=always or tools.exec.security=deny.

Release Process Note

patched_versions is pre-set to planned next release 2026.2.22. After npm release is out, this advisory should be ready for direct publish without additional metadata edits.

OpenClaw thanks @tdjackey for reporting.

基本情報

タイプ
reviewed
深刻度
medium
GitHub 上のアドバイザリ
アドバイザリを開く ↗
リポジトリのアドバイザリ
リポジトリのアドバイザリを開く ↗
ソースコード
ソースを見る ↗
公開(アドバイザリ)
2026-03-03 19:53:22 UTC
更新
2026-03-19 21:21:48 UTC
GitHub レビュー済み
2026-03-03 19:53:22 UTC

EPSS Score

Score Percentile
0.02% 5.25%

CVSS Scores

No CVSS scores in this advisory.

Identifiers

CWEs

CWE id Name
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-863 Incorrect Authorization

Credits

  • tdjackey (reporter)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
npm openclaw < 2026.2.22 2026.2.22

References

cvelogic Threat Intelligence