OpenClaw Allowlist Bypass Vulnerability in macOS Node-Host System.run

A vulnerability allowing an allowlist bypass has been identified in OpenClaw versions prior to 2026.2.22, specifically within the macOS node-host 'system.run' feature. This vulnerability arises from improper handling of command substitution tokens in double-quoted strings, enabling remote attackers to execute arbitrary commands that are not on the allowlist. By crafting shell payloads that exploit this parsing flaw, attackers can bypass security measures and execute unwanted commands on the system.

Impact

Exploitation of this vulnerability allows for unauthorized command execution on the macOS node-host, bypassing allowlist restrictions and potentially leading to further exploitation or system compromise.

Reproduction

To reproduce this vulnerability, set the 'system.run' allowlist to include a benign command such as '/bin/echo'. Then, send a command that uses double quotes to include a substitution, such as 'echo "ok $(/usr/bin/id)"'. The allowlist parser may incorrectly allow this command by recognizing the first part as a valid allowlisted executable, while the substitution executes a non-allowlisted command in the background.

Remediation

Users are advised to upgrade to OpenClaw version 2026.2.22 or later. If an immediate upgrade is not possible, the allowlist can be temporarily disabled by setting the 'ask' mode to 'always' or the 'security' mode to 'deny'.