In openclaw npm releases up to and including 2026.2.21-2, approving wrapped system.run commands with allow-always in security=allowlist mode could persist wrapper-level allowlist entries and enable later approval-bypass execution of different inner payloads.

allow-always persistence was based on wrapper-level resolution instead of stable inner executable intent. A benign approved wrapper invocation could therefore broaden future trust boundaries.

Affected paths included gateway and node-host execution approval persistence flows. The fix now persists inner executable paths for known dispatch-wrapper chains (env, nice, nohup, stdbuf, timeout) and fails closed when safe unwrapping cannot be derived.

Authorization boundary bypass in allowlist mode, potentially leading to approval-free command execution (RCE class) on subsequent wrapped invocations.

Upgrade to 2026.2.22 (planned next release) or run with stricter exec policy (ask=always / security=deny) until upgraded.

patched versions is pre-set to 2026.2.22 so this advisory is publish-ready; publish after the npm release is live.

OpenClaw thanks @tdjackey for reporting.