CVE-2026-27487
Received Received - Intake
OS Command Injection in OpenClaw macOS Keychain Credential Refresh

Publication date: 2026-02-21

Last updated on: 2026-02-23

Assigner: GitHub, Inc.

Description
OpenClaw is a personal AI assistant. In versions 2026.2.13 and below, when using macOS, the Claude CLI keychain credential refresh path constructed a shell command to write the updated JSON blob into Keychain via security add-generic-password -w .... Because OAuth tokens are user-controlled data, this created an OS command injection risk. This issue has been fixed in version 2026.2.14.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-21
Last Modified
2026-02-23
Generated
2026-06-16
AI Q&A
2026-02-21
EPSS Evaluated
2026-06-14
NVD
CVE-2026-27487
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.2.14 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-27487 is a high-severity OS command injection vulnerability in the OpenClaw personal AI assistant on macOS platforms, specifically in versions up to 2026.2.13.

The vulnerability occurs in the Claude CLI keychain credential refresh process, where a shell command is constructed to write updated OAuth token data into the macOS Keychain using the command `security add-generic-password -w ...`.

Because OAuth tokens are user-controlled data, the shell command construction allowed attackers to inject malicious shell commands by including shell metacharacters such as command substitutions `$(...)` or backticks `` `...` `` in the token values.

This flaw enabled arbitrary command execution with the privileges of the user running the OpenClaw CLI.

The vulnerability was fixed in version 2026.2.14 by replacing the unsafe shell command execution (`execSync`) with a safer direct binary invocation (`execFileSync`) that passes arguments as an array, preventing shell interpretation and injection.

Impact Analysis

This vulnerability can lead to unauthorized execution of arbitrary commands on your macOS system with the privileges of the OpenClaw user.

An attacker controlling OAuth token values could exploit this to execute malicious shell commands, potentially leading to:

  • Unauthorized access to sensitive data stored on the system.
  • Modification or corruption of data and credentials.
  • Partial denial of service or disruption of availability.

The CVSS v3.1 base score of 7.6 reflects high confidentiality and integrity impacts, with low availability impact.

Detection Guidance

This vulnerability involves OS command injection via the macOS `security add-generic-password` command used by the OpenClaw Claude CLI keychain credential refresh process. Detection involves checking if the vulnerable versions (2026.2.13 and below) of OpenClaw are running on macOS systems.

Specifically, detection can focus on identifying if the vulnerable CLI is executing shell commands with user-controlled OAuth tokens that might contain shell metacharacters such as `$()` or backticks. Since the vulnerability arises from command injection in the shell command construction, monitoring for suspicious or unexpected invocations of the `security` command with unusual arguments could help.

Suggested commands to detect potential exploitation or presence of the vulnerable code include:

  • Check the installed OpenClaw version: `openclaw --version` or check the package version in your environment.
  • Search running processes for usage of the `security` command related to OpenClaw: `ps aux | grep security` or `ps aux | grep openclaw`.
  • Audit shell command invocations that include suspicious OAuth token patterns, for example by reviewing logs or using system auditing tools to detect commands containing `$(` or backticks.
  • Use macOS audit or monitoring tools to track calls to `security add-generic-password` and inspect arguments for suspicious content.

Note that no specific detection commands or scripts are provided in the available resources.

Mitigation Strategies

The primary mitigation step is to upgrade OpenClaw to version 2026.2.14 or later, where the vulnerability has been fixed.

The fix replaces the vulnerable shell command execution using `execSync` with a safer direct binary invocation using `execFileSync`, which prevents shell injection by passing arguments as literal strings rather than shell-interpreted commands.

Additional immediate steps include:

  • Avoid using vulnerable versions (2026.2.13 and below) of OpenClaw on macOS systems.
  • If upgrading is not immediately possible, restrict or monitor usage of the Claude CLI keychain credential refresh functionality to prevent exploitation.
  • Audit and restrict OAuth token inputs to prevent injection of shell metacharacters.
  • Implement monitoring to detect suspicious command executions involving the `security` command.

Ultimately, upgrading to the fixed version is the recommended and most effective mitigation.

Compliance Impact

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27487. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart