Description
OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in system.run that allows attackers to execute non-allowlisted commands by splitting command substitution using shell line-continuation characters. Attackers can bypass security analysis by injecting $\\ followed by a newline and opening parenthesis inside double quotes, causing the shell to fold the line continuation into executable command substitution that circumvents approval boundaries.
Published: 2026-03-19
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Command Execution via Allowlist Bypass
Action: Immediate Patch
AI Analysis

Impact

OpenClaw versions prior to 2026.2.22 contain an allowlist bypass that allows an attacker to inject the characters $\ followed by a newline and an opening parenthesis inside double quotes. The shell’s line‑continuation feature folds the injected sequences into a command substitution that is executed by system.run, thereby enabling the execution of non‑allowlisted commands. This is an OS Command Injection (CWE‑78) that can run arbitrary system commands and compromise the confidentiality, integrity, or availability of the affected host.

Affected Systems

All installations of the generic OpenClaw product that run on Node.js and are deployed before the release of 2026.2.22 are affected, irrespective of operating system. The vulnerability applies to every environment that hosts the OpenClaw application as indicated by the CPE string cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*.

Risk and Exploitability

The CVSS score of 6 indicates moderate severity, and no EPSS score is available, so the precise likelihood of exploitation cannot be quantified. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the exploit can be achieved when system.run is invoked with untrusted input; the attack vector is therefore likely local or remote, depending on whether that API is exposed to end users. If an attacker gains sufficient access to trigger system.run, arbitrary command execution is possible.

Generated by OpenCVE AI on March 19, 2026 at 02:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch released with OpenClaw 2026.2.22 or any later version.
  • Verify that the patched version is deployed on all affected hosts.
  • Review and tighten the allowlist configuration for system.run so that only essential commands are permitted.
  • Restrict or disable the use of system.run in contexts where it is not strictly required.
  • Monitor system logs for unusual system.run activity or command‑line patterns that match the described injection technique.

Generated by OpenCVE AI on March 19, 2026 at 02:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9868-vxmx-w862 OpenClaw's system.run allowlist bypass via shell line-continuation command substitution
History

Wed, 25 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L'}

Thu, 19 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 01:30:00 +0000

Type Values Removed Values Added
Description OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in system.run that allows attackers to execute non-allowlisted commands by splitting command substitution using shell line-continuation characters. Attackers can bypass security analysis by injecting $\\ followed by a newline and opening parenthesis inside double quotes, causing the shell to fold the line continuation into executable command substitution that circumvents approval boundaries.
Title OpenClaw < 2026.2.22 - Allowlist Bypass via Shell Line-Continuation Command Substitution in system.run
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-78
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L'}

cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-25T14:30:52.660Z

Reserved: 2026-02-27T19:18:07.826Z

Link: CVE-2026-28460

cve-icon Vulnrichment

Updated: 2026-03-19T15:24:33.286Z

cve-icon NVD

Status : Modified

Published: 2026-03-19T02:16:02.603

Modified: 2026-03-25T15:16:39.837

Link: CVE-2026-28460

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:51:33Z

Weaknesses