Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-22179 is a security vulnerability in OpenClaw versions prior to 2026.2.22 on macOS, specifically affecting the node-host system.run function when using the security=allowlist mode.'}, {'type': 'paragraph', 'content': 'The vulnerability arises because the allowlist parsing fails to properly detect and block command substitution tokens embedded within double-quoted shell strings. This means that an attacker can craft shell commands using command substitution syntax (like $(command)) inside double quotes to bypass the allowlist restrictions.'}, {'type': 'paragraph', 'content': 'For example, a command such as `echo "ok $(id)"` is incorrectly allowed because the initial executable `echo` is on the allowlist, but the shell substitution `$(id)` executes a non-allowlisted command, allowing arbitrary command execution on the system.'}, {'type': 'paragraph', 'content': 'This vulnerability is classified as an OS Command Injection issue (CWE-78) due to improper neutralization of special elements used in OS commands.'}] [1, 2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to an allowlist bypass, enabling remote attackers to execute arbitrary, non-allowlisted commands on the affected macOS system running OpenClaw with security=allowlist enabled.

The impact includes unauthorized command execution with potentially high privileges, which can compromise the confidentiality, integrity, and availability of the system.

Exploitation requires specific conditions such as using the macOS node-host or companion-app execution path, having exec approvals set to allowlist mode, and an allowlist containing a benign executable used in a shell wrapper.

If exploited, attackers could perform unauthorized actions on the system, potentially leading to data breaches, system manipulation, or denial of service.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability involves bypassing the allowlist in OpenClaw's system.run function on macOS by using command substitution tokens within double-quoted strings. Detection involves monitoring for suspicious shell commands that include command substitution syntax such as $(...) or backticks (`...`) embedded inside double quotes."}, {'type': 'paragraph', 'content': 'A practical detection approach is to look for commands similar to the example exploit: `/bin/sh -lc \'echo "ok $(/usr/bin/id > /tmp/openclaw-poc-rce)"\'` where an allowlisted command like echo is combined with a non-allowlisted command inside command substitution.'}, {'type': 'paragraph', 'content': 'You can search your system logs or command execution logs for patterns matching command substitution inside double quotes, for example using grep:'}, {'type': 'list_item', 'content': 'grep -rE \'".*\\$\\(.*\\).*"\' /var/log/'}, {'type': 'list_item', 'content': 'grep -rE \'".*`.*`.*"\' /var/log/'}, {'type': 'paragraph', 'content': 'Additionally, monitoring for unexpected file creations or command executions triggered by such payloads (e.g., files like /tmp/openclaw-poc-rce) can help detect exploitation attempts.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade OpenClaw to version 2026.2.22 or later, where the vulnerability has been fixed.

If upgrading immediately is not possible, temporary workarounds include:

• Switching the security mode from `allowlist` to `deny` mode, which is the default and not affected by this vulnerability.
• Setting the ask mode to `always`, which forces explicit approval for command execution and prevents silent bypass.

These steps reduce the risk of unauthorized command execution until the patched version can be deployed.

Useful 0 Not Useful 0