Impact
OpenClaw before version 2026.5.12 includes a flaw that bypasses the argument pattern validation in its exec allowlist, permitting attackers to supply disallowed arguments to allowlisted executables on Linux and macOS. This bypass can lead to unauthorized command execution, potentially granting the attacker access to sensitive files, network resources, or the ability to run arbitrary code. The weakness is categorized as a control failure related to argument validation (CWE‑693) and missing access control (CWE‑863).
Affected Systems
This vulnerability affects deployments of the OpenClaw application, specifically any installation of the OpenClaw software prior to release 2026.5.12. The affected vendor is OpenClaw, the product is OpenClaw. All systems running a vulnerable version on Linux or macOS are impacted.
Risk and Exploitability
The CVSS score for this issue is 7.6, indicating high severity, while the EPSS score of less than 1% suggests that exploitation is rare at the time of analysis. The vulnerability is not currently listed in CISA’s KEV catalog, meaning no documented public exploits exist. Attackers would need the ability to invoke allowlisted executables and supply bespoke arguments, so the likely attack vector is local or in contexts where command arguments are user‑controlled. Due to the high severity and the potential for remote command execution if an attacker can influence the arguments, organizations should consider this a critical risk for exposed or privileged environments.
OpenCVE Enrichment
Github GHSA