OpenClaw Exec Approval Bypass Vulnerability in Allowlist Mode
Vulnerability
A vulnerability allowing exec approval bypass has been identified in OpenClaw versions prior to 2026.2.23. This issue arises in allowlist mode, where 'allow-always' grants could be circumvented using unrecognized multiplexer shell wrappers, specifically 'busybox' and 'toybox' with 'sh -c' commands. Attackers can exploit this vulnerability by invoking arbitrary payloads under the same multiplexer wrapper to comply with stored allowlist rules, thereby bypassing intended execution restrictions.
Impact
Exploitation of this vulnerability allows for the bypass of execution restrictions, enabling unauthorized commands to be executed under the guise of approved multiplexer wrappers.
Reproduction
The vulnerability can be reproduced by first granting 'allow-always' permissions to a command wrapper that is recognized by the OpenClaw allowlist. Then, using a shell multiplexer like 'busybox' or 'toybox', invoke a command that is not directly recognized by the allowlist but can be executed through the approved wrapper. This will demonstrate how the unrecognized command can bypass the intended execution controls by exploiting the allowlist rules.
Remediation
Users can update to OpenClaw version 2026.2.23 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.