OpenClaw Node Host Allowlist Bypass Vulnerability in System.run Command Handling

A vulnerability exists in OpenClaw versions prior to 2026.2.14, specifically within the node host execution path. The issue arises from a mismatch between the 'rawCommand' and 'command[]' parameters in the 'system.run' handler. This discrepancy can lead to a situation where allowlist and approval evaluations are conducted on one command, while a different command is actually executed. The vulnerability is only present in deployments that use the node host 'system.run' on a node, have allowlist-based execution policies with approval prompts for allowlist misses, and allow an attacker to invoke 'system.run'.

Impact

Exploitation of this vulnerability allows an attacker to bypass allowlist enforcement and approval prompts. By providing an allowlisted 'rawCommand' while using a different 'command[]' argument for execution, an attacker can manipulate the command execution process without triggering the expected approval workflows.

Reproduction

To reproduce this vulnerability, first ensure the OpenClaw deployment is running a version prior to 2026.2.14 and is configured to use the node host execution path with allowlist-based execution policies that require approval for allowlist misses. Once this is set up, an attacker can invoke the 'system.run' command on a node, presenting an allowlisted 'rawCommand' while simultaneously supplying a different 'command[]' argument. This will result in the allowlist evaluation being performed on the 'rawCommand', but the 'command[]' execution will differ, effectively bypassing the approval process.

Remediation

Users can update to OpenClaw version 2026.2.14 or later, where this vulnerability has been patched. Instructions for updating can be found in the OpenClaw GitHub repository.