OpenClaw Shell Approval Gating Bypass Vulnerability in System.run Dispatch-Wrapper Handling
Vulnerability
A vulnerability exists in OpenClaw versions prior to 2026.3.7, allowing attackers to bypass shell approval requirements in the system.run dispatch-wrapper handling. This issue arises because the approval classifier and execution planner use different depth-boundary rules. By exploiting this mismatch, an attacker can skip the expected approval gating for shell wrapper invocations. The vulnerability is triggered by using exactly four transparent dispatch wrappers, such as repeated environment variable invocations, before the shell command is executed.
Impact
Exploiting this vulnerability allows for a shell approval gating bypass, which could lead to unauthorized command execution.
Reproduction
To reproduce this vulnerability, first ensure that the OpenClaw version is prior to 2026.3.7. Then, invoke the system.run command with four nested dispatch wrappers, such as repeated env commands, before reaching the shell execution command. This will misalign the approval classification and execution planning, allowing the command to be executed without the necessary approval.
Remediation
Users can update to OpenClaw version 2026.3.7 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.