PT-2026-38248 · Openclaw · Openclaw
Vladimir Tokarev
·
Published
2026-04-23
·
Updated
2026-05-28
·
CVE-2026-44115
CVSS v2.0
9.0
High
| Vector | AV:N/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
OpenClaw versions prior to 2026.4.22
Description
An exec allowlist analysis issue allows shell expansion to be hidden within unquoted heredoc bodies. Attackers can bypass allowlist validation by embedding shell expansion tokens in heredoc bodies, enabling the execution of unapproved commands at runtime. This can lead to the leakage of API keys through paths that appear safe during validation. Approximately 245,000 instances are potentially exposed.
Recommendations
Update to version 2026.4.22 or later.
Fix
Incomplete List of Disallowed Inputs
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openclaw