CVE-2026-22179

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.22

Description OpenClaw’s macOS node-host system.run component contains an allowlist bypass issue. Improper parsing of command substitution tokens within double-quoted text allows remote attackers to execute commands not included in the allowlist. Attackers can craft shell payloads using command substitution syntax to bypass security restrictions and execute arbitrary commands on the system. The issue arises because the allowlist parsing fails to reject command substitution tokens when they appear inside double-quoted shell text. This allows payloads containing allowlisted executables to trigger shell substitution, executing non-allowlisted subcommands. The issue requires opting into security=allowlist on the macOS node-host path. An example payload is /bin/sh -lc 'echo "ok $(/usr/bin/id > /tmp/openclaw-poc-rce)"' where /bin/echo is allowlisted, but the shell substitution executes /usr/bin/id.

Recommendations Upgrade to version 2026.2.22 or newer when released. As a temporary mitigation, set ask mode to always. As a temporary mitigation, set security mode to deny.