OpenClaw’s sort command validates executables using a safeBins allowlist. Prior to version 2026.2.23, a bypass was possible by supplying GNU long-option abbreviations that matched allowed patterns, such as --compress-prog, while the exact string --compress-program was correctly denied. This flaw allowed users to trigger execution paths that should have required explicit approval, effectively enabling arbitrary command execution through the sort interface. The core weakness is a CWE-184 type flaw where option values are not fully validated, leading to command injection vulnerabilities.

All instances of OpenClaw before the 2026.2.23 release are affected. This includes any deployment that uses the OpenClaw sort tool without updated version enforcement. No specific operating system or platform filtering is mentioned; the issue exists wherever the unsafe safeBins validation is active.

The CVSS score of 9.9 indicates critical severity, and the EPSS score of < 1% suggests low current exploitation probability, likely due to the need for user interaction or privileged access to provide the offending option. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local or within the scope of users who can invoke the OpenClaw sort command with arbitrary arguments. An attacker would need to supply a long-option abbreviation that matches the safeBins allowlist but bypasses the exact match required for approval. If successful, unrestricted options would be executed, potentially compromising system confidentiality, integrity, and availability.