Command Injection Affecting openclaw package, versions <2026.2.22
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-OPENCLAW-15372192
- published4 Mar 2026
- disclosed3 Mar 2026
- credittdjackey
Introduced: 3 Mar 2026
New CVE NOT AVAILABLE CWE-78 (opens in a new tab)How to fix?
Upgrade openclaw to version 2026.2.22 or higher.
Overview
openclaw is a 🦞 OpenClaw — Personal AI Assistant
Affected versions of this package are vulnerable to Command Injection via the system.run when allowlist parsing fails to reject command substitution tokens inside double-quoted shell text. An attacker can execute unauthorized commands on the node host by crafting payloads that exploit shell substitution within allowlisted commands.
Note: This is only exploitable if the target uses the macOS node-host execution path, exec approvals are set to allowlist mode, ask mode is set to on-miss or off, and the allowlist contains a benign executable used in a shell wrapper flow.
Workaround
This vulnerability can be mitigated by setting ask mode to always or setting security mode to deny.