Description
OpenClaw versions prior to 2026.2.14 contain an arbitrary file read vulnerability in the exec-approvals allowlist validation that checks pre-expansion argv tokens but executes using real shell expansion. Attackers with authorization or through prompt-injection attacks can exploit safe binaries like head, tail, or grep with glob patterns or environment variables to disclose files readable by the gateway or node process when host execution is enabled in allowlist mode.
Published: 2026-03-05
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Read
Action: Apply Patch
AI Analysis

Impact

OpenClaw versions before 2026.2.14 permit an arbitrary file read due to a flaw in the exec-approvals allowlist. The validation step checks each argument before shell expansion, but the subsequent execution performs a real shell expansion, allowing attackers to use glob patterns or environment variables with safe binaries such as head, tail, or grep to read files accessible to the gateway or Node.js process. This flaw is an example of CWE‑78, which represents a command injection or privilege escalation via uncontrolled use of system shell features.

Affected Systems

Affected systems include any deployment of OpenClaw running a version older than 2026.2.14. The vulnerability is present in all iterations of OpenClaw prior to the 2026.2.14 release, regardless of platform, as the bug originates in the generic exec‑approval mechanism that applies globally.

Risk and Exploitability

The CVSS base score of 8.6 classifies this issue as high severity. The EPSS score indicates an exploitation probability of less than 1%, and the vulnerability is not yet listed in CISA's KEV catalog. The attack vector likely requires either elevated privileges that allow execution of safe binaries or an attacker capable of executing prompt‑injection attacks to trigger shell expansion, thereby exposing non‑secret files that the gateway or Node.js process can read.

Generated by OpenCVE AI on April 15, 2026 at 19:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to OpenClaw version 2026.2.14 or later to receive the fixed allowlist validation logic.
  • Remove or disable host execution in allowlist mode to prevent any shell expansion from being performed by the gateway.
  • Enforce strict access controls on the execution of safe binaries so that only trusted users can invoke commands that include glob patterns or environment variables.

Generated by OpenCVE AI on April 15, 2026 at 19:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xvhf-x56f-2hpp OpenClaw exec approvals: safeBins could bypass stdin-only constraints via shell expansion
History

Wed, 08 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Description OpenClaw exec-approvals allowlist validation checks pre-expansion argv tokens but execution uses real shell expansion, allowing safe bins like head, tail, or grep to read arbitrary local files via glob patterns or environment variables. Authorized callers or prompt-injection attacks can exploit this to disclose files readable by the gateway or node process when host execution is enabled in allowlist mode. OpenClaw versions prior to 2026.2.14 contain an arbitrary file read vulnerability in the exec-approvals allowlist validation that checks pre-expansion argv tokens but executes using real shell expansion. Attackers with authorization or through prompt-injection attacks can exploit safe binaries like head, tail, or grep with glob patterns or environment variables to disclose files readable by the gateway or node process when host execution is enabled in allowlist mode.

Mon, 09 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenClaw exec-approvals allowlist validation checks pre-expansion argv tokens but execution uses real shell expansion, allowing safe bins like head, tail, or grep to read arbitrary local files via glob patterns or environment variables. Authorized callers or prompt-injection attacks can exploit this to disclose files readable by the gateway or node process when host execution is enabled in allowlist mode.
Title OpenClaw < 2026.2.14 - Arbitrary File Read via Shell Expansion in Safe Bins Allowlist
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-78
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-21T02:43:28.827Z

Reserved: 2026-02-27T19:18:27.709Z

Link: CVE-2026-28463

cve-icon Vulnrichment

Updated: 2026-03-09T17:48:31.457Z

cve-icon NVD

Status : Modified

Published: 2026-03-05T22:16:19.127

Modified: 2026-04-08T14:16:27.497

Link: CVE-2026-28463

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T20:00:06Z

Weaknesses