OpenClaw has allowlist exec-guard bypass via env -S

Summary In allowlist mode, system.run guardrails could be bypassed through env -S, causing policy-analysis/runtime-execution mismatch for shell wrapper payloads. Severity Rationale Medium This issue is rated medium because it is a guardrail/policy bypass in OpenClaw's trusted-operator model, not ...

Command Injection

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Command Injection via the system.run shell-wrapper. An attacker can execute arbitrary shell commands outside the intended allowlisted command body by injecting SHELLOPTS and PS4 environme...

PT-2026-26222

Summary system.run exec allowlist analysis treated wrapper binaries as the effective executable and did not fully unwrap env/shell-dispatch wrappers. This allowed wrapper-smuggled payloads for example env bash -lc ... to satisfy an allowlist entry for the wrapper while executing non-allowlisted...

PT-2026-26385

Summary system.run allowed SHELLOPTS + PS4 environment injection to trigger command substitution during bash -lc xtrace expansion before the allowlisted command body executed. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.2.21-2 includes latest published npm version at...

PT-2026-26404

Summary A wrapper-depth parsing mismatch in system.run allowed nested transparent dispatch wrappers for example repeated /usr/bin/env to suppress shell-wrapper detection while still matching allowlist resolution. In security=allowlist + ask=on-miss, this could bypass the expected approval prompt...

Incomplete List of Disallowed Inputs

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the exec approvals, when approvals are granted through unrecognized multiplexer shell wrappers. An attacker can execute unauthorized commands by...

GHSA-GWQP-86Q6-W47G OpenClaw's exec allow-always can be bypassed via unrecognized multiplexer shell wrappers (busybox/toybox sh -c)

Summary OpenClaw exec approvals could be bypassed in allowlist mode when allow-always was granted through unrecognized multiplexer shell wrappers notably busybox sh -c and toybox sh -c. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.2.22-2 - Latest published vulnerable...

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization in the allow-always wrapper in security=allowlist mode. An attacker can execute arbitrary commands without further approval by exploiting persistent wrapper-level...

OpenClaw's allow-always wrapper persistence could bypass future approvals and enable command execution

Summary In openclaw npm releases up to and including 2026.2.21-2, approving wrapped system.run commands with allow-always in security=allowlist mode could persist wrapper-level allowlist entries and enable later approval-bypass execution of different inner payloads. Affected Packages / Versions -...

GHSA-6J27-PC5C-M8W8 OpenClaw's allow-always wrapper persistence could bypass future approvals and enable command execution

Summary In openclaw npm releases up to and including 2026.2.21-2, approving wrapped system.run commands with allow-always in security=allowlist mode could persist wrapper-level allowlist entries and enable later approval-bypass execution of different inner payloads. Affected Packages / Versions -...

Command Injection

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Command Injection in the wrapper resolution. An attacker can execute arbitrary commands by influencing the current working directory during wrapper resolution for .cmd or .bat files on...

CpenClaw's ACPX Windows wrapper shell fallback allowed cwd injection in specific paths

Summary On Windows ACPX paths, wrapper resolution for .cmd/.bat could fall back to shell execution in ways that allowed cwd influence to alter execution behavior. Impact In affected Windows ACPX configurations, this could enable command execution integrity loss through cwd-influenced wrapper...

GHSA-6F6J-WX9W-FF4J CpenClaw's ACPX Windows wrapper shell fallback allowed cwd injection in specific paths

Summary On Windows ACPX paths, wrapper resolution for .cmd/.bat could fall back to shell execution in ways that allowed cwd influence to alter execution behavior. Impact In affected Windows ACPX configurations, this could enable command execution integrity loss through cwd-influenced wrapper...

did-sdk-python (>=1.0.0 <=1.1.3), django-ninja-aio-crud (>=1.0.5 <=2.32.0) +9 more potentially affected by CVE-2026-27932 via joserfc (>=0.9.0 <=1.6.1)

joserfc PYPI version =0.9.0, =1.0.0, =1.0.5, =2.5.0, =2.0.0, =3.0.2, =0.1.3, =0.18.1, =0.1.0, =0.9.0, =0.1.0, =0.5.0rc2 Source cves: CVE-2026-27932 Source advisory: OSV:GHSA-W5R5-M38G-F9F9...

PT-2026-26239

Summary On Windows ACPX paths, wrapper resolution for .cmd/.bat could fall back to shell execution in ways that allowed cwd influence to alter execution behavior. Impact In affected Windows ACPX configurations, this could enable command execution integrity loss through cwd-influenced wrapper...

PT-2026-26007

Summary OpenClaw exec approvals could be bypassed in allowlist mode when allow-always was granted through unrecognized multiplexer shell wrappers notably busybox sh -c and toybox sh -c. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.2.22-2 - Latest published vulnerable...

Off-by-one Error

Overview Magick.NET-Q8-OpenMP-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package ar...

Out-of-bounds Read

Overview Magick.NET-Q16-OpenMP-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package a...

Missing Release of Memory after Effective Lifetime

Overview Magick.NET-Q8-x86 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

PT-2026-21591

Name of the Vulnerable Software and Affected Versions free5GC SMF versions up to and including 1.4.1 Description free5GC SMF provides the Session Management Function for free5GC, an open-source project for 5G mobile core networks. The software experiences a panic and terminates when processing a...