CVE-2026-26325

Name of the Vulnerable Software and Affected Versions OpenClaw versions 2026.2.13 and earlier

Description An allowlist bypass exists in the OpenClaw npm package. This flaw causes a mismatch between the commands that are verified and the commands that are actually executed, potentially leading to the execution of unwanted commands and a compromise of security. The issue stems from a logic decoupling where the code appears correct but functions incorrectly. Static analysis may fail to detect this type of vulnerability, as it focuses on syntax rather than intent. The system(.)run function is specifically mentioned as a potential entry point for exploitation.

Recommendations Versions prior to 2026.2.14 should be updated to version 2026.2.14 or later. Stop relying on regular expressions for command validation. Avoid security checks that look at Variable A while the execution engine runs Variable B, as this creates a logic gap.