GHSA-9p38-94jf-hgjj

Summary

In OpenClaw's macOS node-host path, system.run allowlist parsing in security=allowlist mode failed to reject command substitution tokens when they appeared inside double-quoted shell text.

Because of that gap, payloads like echo "ok $(id)" could be treated as allowlist hits (first executable token echo) while still executing non-allowlisted subcommands through shell substitution.

Affected Packages / Versions

• Package: npm openclaw
• Latest published affected version: 2026.2.21-2
• Affected range: <= 2026.2.21-2
• Patched version (planned next release): 2026.2.22

Notes: - Default installs are not affected (security=deny by default). - The issue requires opting into security=allowlist on the macOS node-host path.

Impact

Approval/authorization bypass in allowlist mode that can lead to unintended command execution on the node host.

Preconditions

• Target uses macOS node-host / companion-app execution path.
• Exec approvals set to security=allowlist.
• Ask mode is on-miss or off.
• Allowlist contains a benign executable used in a shell wrapper flow (for example /bin/echo).

Reproduction (example)

Use a shell-wrapper command where the visible executable is allowlisted but the quoted payload contains substitution:

• command argv: /bin/sh -lc 'echo "ok $(/usr/bin/id > /tmp/openclaw-poc-rce)"'
• allowlist pattern includes /bin/echo

Before the fix, allowlist analysis could resolve this as allowlisted while shell substitution still executed.

Remediation

• Upgrade to 2026.2.22 (or newer) when released.
• Temporary mitigation: set ask mode to always or set security mode to deny.

Fix Commit(s)

• 90a378ca3a9ecbf1634cd247f17a35f4612c6ca6

Release Process Note

patched_versions is pre-set to planned next release 2026.2.22. After npm release is out, advisory can be published directly.

OpenClaw thanks @tdjackey for reporting.