CVE-2026-53855

OpenClaw before 2026.4.2 contains an inline-eval bypass vulnerability allowing authenticated operators to weaken strict allowlist checks via shell positional parameters. Attackers can combine allowlisted tools with shell positional arguments to place inline-eval content in shell carriers outside...

CVE-2026-42423

OpenClaw prior to 2026.4.8 contains an approval-timeout fallback that bypasses strictInlineEval explicit-approval requirements on gateway and node exec hosts. This allows an attacker to exploit the timeout fallback to execute inline eval commands that would normally require explicit user approval...

Improper Input Validation

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Improper Input Validation in to the strictInlineEval function. An attacker can execute unauthorized inline evaluation commands by exploiting the approval-timeout fallback mechanism, which...

GHSA-Q2GC-XJQW-QP89 OpenClaw: strictInlineEval explicit-approval boundary bypassed by approval-timeout fallback on gateway and node exec hosts

Impact strictInlineEval explicit-approval boundary bypassed by approval-timeout fallback on gateway and node exec hosts. The approval-timeout fallback could allow inline eval commands that strictInlineEval was meant to require explicit approval for. OpenClaw is a user-controlled local assistant...