OpenClaw Allowlist Bypass Vulnerability in system.run

A vulnerability allowing allowlist bypass in OpenClaw has been identified in versions prior to 2026.2.22. This issue arises in the 'system.run' feature, where attackers can execute non-allowlisted commands by manipulating command substitution with shell line-continuation characters. By injecting a backslash followed by a newline and an opening parenthesis within double quotes, the shell interprets the line continuation as executable command substitution, bypassing security approvals and allowing unauthorized command execution.

Impact

Exploiting this vulnerability can lead to unauthorized command execution, bypassing security allowlist checks.

Reproduction

To reproduce this vulnerability, use OpenClaw version 2026.2.21-2 or earlier. Set the 'tools.exec.security' option to 'allowlist' and the 'ask' option to 'off' or 'on-miss'. Then, invoke a command that includes the payload '$\ (' within double quotes. The command will be executed with the line continuation folded into a command substitution, bypassing the allowlist approval.

Remediation

Users can upgrade to OpenClaw version 2026.2.22 or later to address this vulnerability. As a temporary mitigation, set 'tools.exec.ask' to 'always' or 'tools.exec.security' to 'deny'.