Description
OpenClaw is a personal AI assistant. In versions 2026.2.13 and below, when using macOS, the Claude CLI keychain credential refresh path constructed a shell command to write the updated JSON blob into Keychain via security add-generic-password -w .... Because OAuth tokens are user-controlled data, this created an OS command injection risk. This issue has been fixed in version 2026.2.14.
Published: 2026-02-21
Score: 7.6 High
EPSS: 1.2% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from the construction of a shell command in the keychain credential refresh path of OpenClaw’s Claude CLI on macOS. In versions 2026.2.13 and older, the JSON blob holding OAuth tokens is passed unchecked to the "security add-generic-password" command. Because the tokens are user‑controlled, an attacker can inject arbitrary shell commands. The flaw is a Command Injection (CWE‑78) and could allow arbitrary code execution with the privileges of the OpenClaw process.

Affected Systems

The vulnerable product is OpenClaw, a personal AI assistant built on Node.js. Any installations using version 2026.2.13 or earlier running on macOS are affected.

Risk and Exploitability

The CVSS score of 7.6 reflects high severity, yet the EPSS is 0.012%, indicating an extremely low likelihood of exploitation in the wild. The issue is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the attacker would need to supply a malicious OAuth token to the affected instance, implying a local or privileged context. If such a token is injected, the arbitrary command will run with the OpenClaw process’s rights.

Generated by OpenCVE AI on June 18, 2026 at 13:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the OpenClaw installation to version 2026.2.14 or later.
  • Ensure that any OAuth tokens used by OpenClaw are issued by trusted providers and are not tampered with.
  • If an upgrade cannot be performed immediately, review and modify the credential write logic to eliminate shell command usage or strictly sanitize the token content before passing it to the command line.

Generated by OpenCVE AI on June 18, 2026 at 13:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4564-pvr2-qq4h OpenClaw: Prevent shell injection in macOS keychain credential write
History

Tue, 24 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Openclaw
Openclaw openclaw
Vendors & Products Openclaw
Openclaw openclaw

Sat, 21 Feb 2026 09:45:00 +0000

Type Values Removed Values Added
Description OpenClaw is a personal AI assistant. In versions 2026.2.13 and below, when using macOS, the Claude CLI keychain credential refresh path constructed a shell command to write the updated JSON blob into Keychain via security add-generic-password -w .... Because OAuth tokens are user-controlled data, this created an OS command injection risk. This issue has been fixed in version 2026.2.14.
Title OpenClaw: Prevent shell injection in macOS keychain credential write
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L'}

Subscriptions

Apple Macos
Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-24T18:21:54.882Z

Reserved: 2026-02-19T19:46:03.541Z

Link: CVE-2026-27487

cve-icon Vulnrichment

Updated: 2026-02-24T18:21:43.912Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-21T10:16:13.100

Modified: 2026-06-17T10:27:14.390

Link: CVE-2026-27487

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T13:45:05Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')