Executive Summary

CVE-2026-28460 is an allowlist bypass vulnerability in OpenClaw versions prior to 2026.2.22 affecting the system.run function.

Attackers exploit this vulnerability by injecting a shell line-continuation sequence consisting of a backslash followed by a newline and an opening parenthesis inside double quotes. This causes the shell to fold the line continuation into executable command substitution, effectively splitting the command.

Because of this, non-allowlisted commands can be executed despite the allowlist intended to restrict command execution, bypassing security approval boundaries.

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability allows attackers to execute unauthorized commands on systems using OpenClaw's system.run allowlist mode."}, {'type': 'paragraph', 'content': 'It can lead to improper authorization and OS command injection, potentially compromising system integrity by allowing execution of commands that should be blocked.'}, {'type': 'paragraph', 'content': 'Deployments using tools.exec.security=allowlist with ask=on-miss or ask=off are particularly at risk, as attackers can bypass approval boundaries and cause unintended command execution.'}] [2, 3]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves identifying shell commands that contain shell line-continuation sequences, specifically a backslash followed by a newline character sequence (\\ followed by \\n, \\r, or \\r\\n). Such sequences are used to bypass allowlist checks by splitting command substitution.'}, {'type': 'paragraph', 'content': 'A practical approach is to scan logs or command inputs for patterns matching escaped line continuations inside double quotes, such as commands containing the sequence `$\\\n(` or similar constructs.'}, {'type': 'paragraph', 'content': 'While no explicit detection commands are provided, administrators can search for suspicious commands using shell tools like grep. For example, to find commands with backslash-newline sequences in logs or scripts, you might use:'}, {'type': 'list_item', 'content': "grep -P '\\\\\\n' /path/to/command/logs"}, {'type': 'list_item', 'content': "grep -P '\\$\\\\\\n\\(' /path/to/command/logs"}, {'type': 'paragraph', 'content': 'Additionally, monitoring for denied execution events related to shell-wrapper invocations blocked due to line-continuation allowlist bypass attempts can help detect exploitation attempts, as the patched OpenClaw versions emit such denial events.'}] [1, 2, 3]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade OpenClaw to version 2026.2.22 or later, which includes a fix that detects and blocks shell commands using line-continuation characters to bypass allowlist checks.

As a temporary workaround before upgrading, administrators can configure OpenClaw to either always ask for approval on command execution or deny execution outright by setting:

• tools.exec.ask=always
• or
• tools.exec.security=deny

These settings prevent bypass of the allowlist by requiring explicit approval or denying execution, thus mitigating the risk of unauthorized command execution via this vulnerability.

Useful 0 Not Useful 0