Improper Authorization Affecting openclaw package, versions <2026.2.22
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-OPENCLAW-15369779
- published3 Mar 2026
- disclosed2 Mar 2026
- creditUnknown
Introduced: 2 Mar 2026
New CVE NOT AVAILABLE CWE-184 (opens in a new tab)How to fix?
Upgrade openclaw to version 2026.2.22 or higher.
Overview
openclaw is a 🦞 OpenClaw — Personal AI Assistant
Affected versions of this package are vulnerable to Improper Authorization in the system.run due to a parsing mismatch in allowlist checks for shell-chain payloads. An attacker can execute unauthorized shell commands on a paired macOS host by submitting a shell-chain command that bypasses incomplete command views and is approved under specific security settings.
Note:
This is only exploitable if the caller is authenticated with operator.write, the target is a paired macOS beta node host, and exec approvals are set to security=allowlist and ask=on-miss.