CVE-2026-27487

Name of the Vulnerable Software and Affected Versions OpenClaw versions 2026.2.13 and below

Description The OpenClaw application, a personal AI assistant, is susceptible to an OS command injection issue on macOS. The Claude CLI keychain credential refresh process constructs a shell command using security add-generic-password -w ... to write an updated JSON blob to the Keychain. Because OAuth tokens, which are user-controlled data, are used in this process, an attacker could potentially inject arbitrary OS commands. The fix involves using execFileSync("security", argv) to avoid shell invocation and passing the keychain payload as a literal argument.

Recommendations Versions 2026.2.13 and below should be updated to version 2026.2.14 or later.