PT-2026-25447 · Npm · Openclaw

Published

2026-03-03

·

Updated

2026-03-03

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.

Summary

In OpenClaw system.run allowlist mode, shell-wrapper analysis could be bypassed by splitting command substitution as $ + newline + ( inside double quotes. Analysis treated the payload as allowlisted (for example /bin/echo), while shell runtime folded the line continuation into $(...) and executed non-allowlisted subcommands.

Affected Packages / Versions

  • Package: npm openclaw
  • Latest published affected version: 2026.2.21-2
  • Affected range: <=2026.2.21-2
  • Patched version (planned next release): 2026.2.22

Impact

In deployments that opt into tools.exec.security=allowlist (with ask=on-miss or off), this can bypass approval boundaries and lead to unintended command execution.

Fix Commit(s)

  • 3f0b9dbb36c86e308267924c0d3d4a4e1fc4d1e9

Remediation

  • Upgrade to 2026.2.22 (or newer) when published.
  • Temporary mitigation: set tools.exec.ask=always or tools.exec.security=deny.

Release Process Note

patched versions is pre-set to planned next release 2026.2.22. After npm release is out, this advisory should be ready for direct publish without additional metadata edits.
OpenClaw thanks @tdjackey for reporting.

OS Command Injection

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-78CWE-863

Related Identifiers

GHSA-9868-VXMX-W862

Affected Products

Openclaw