GHSA-7977-c43c-xpwj
Suggest an improvement- Source
- https://github.com/advisories/GHSA-7977-c43c-xpwj
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-7977-c43c-xpwj/GHSA-7977-c43c-xpwj.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-7977-c43c-xpwj
- Aliases
- Downstream
- Published
- 2026-02-27T06:31:28Z
- Modified
- 2026-03-01T02:26:49.642705Z
- Severity
-
- 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- OpenClaw is vulnerable to validation bypass through GNU long-option abbreviations in allowlist mode
- Details
-
In OpenClaw before 2026.2.23, tools.exec.safeBins validation for sort could be bypassed via GNU long-option abbreviations (such as --compress-prog) in allowlist mode, leading to approval-free execution paths that were intended to require approval. Only an exact string such as --compress-program was denied.
- Database specific
{ "github_reviewed_at": "2026-02-28T02:17:24Z", "nvd_published_at": "2026-02-27T04:16:03Z", "severity": "CRITICAL", "cwe_ids": [ "CWE-184" ], "github_reviewed": true }- References
-
- https://github.com/openclaw/openclaw/security/advisories/GHSA-3c6h-g97w-fg78
- https://nvd.nist.gov/vuln/detail/CVE-2026-28363
- https://github.com/openclaw/openclaw/commit/3b8e33037ae2e12af7beb56fcf0346f1f8cbde6f
- https://github.com/openclaw/openclaw
- https://github.com/openclaw/openclaw/releases/tag/v2026.2.23
Affected packages
npm / openclaw
Package
- Name
- openclaw
- View open source insights on deps.dev
- Purl
- pkg:npm/openclaw