OpenClaw Windows Command Injection Vulnerability Allowlist Bypass

A command injection vulnerability has been identified in OpenClaw versions through 2026.2.1. The issue arises from improper validation of Windows command metacharacters in execution requests that are subject to allowlist gating. This flaw allows remote attackers to craft command strings that bypass approval restrictions and execute unapproved commands. The vulnerability exploitation takes advantage of how Windows cmd.exe interprets metacharacters, such as '&' for command chaining and '%...%' for variable expansion, potentially leading to unauthorized command execution.

Impact

Exploitation of this vulnerability allows for command injection on Windows systems, bypassing allowlist restrictions and executing unapproved commands via cmd.exe.

Reproduction

To reproduce this vulnerability, enable exec allowlist gating on a Windows node with OpenClaw version through 2026.2.1. Then, send a command execution request that includes Windows cmd.exe metacharacters, such as '&' or '%...%', which will be interpreted by the shell to execute additional commands or expand variables, respectively. This will bypass the allowlist approval process and execute commands that are not explicitly allowed.

Remediation

Users can upgrade to OpenClaw version 2026.2.2 or later, where this vulnerability has been patched.