OpenClaw Safe Bins Allowlist Bypass Vulnerability via Shell Expansion

A vulnerability in OpenClaw's exec-approvals allowlist can lead to arbitrary file reads. This issue arises because the allowlist validation checks pre-expansion argv tokens, but the actual execution uses real shell expansion. As a result, safe binaries like head, tail, or grep can be manipulated to read arbitrary local files by exploiting glob patterns or environment variables. This vulnerability affects OpenClaw versions through 2026.2.13 and is present when host execution is enabled in allowlist mode.

Impact

Exploitation of this vulnerability can result in unauthorized disclosure of files readable by the gateway or node process, depending on the execution context.

Reproduction

To reproduce this vulnerability, first ensure that OpenClaw is running a version prior to 2026.2.14 with the 'tools.exec.host' parameter set to 'gateway' or 'node'. Then, execute a command using a safe bin that includes glob patterns or environment variable expansions that reference file paths. The command will bypass the allowlist constraints and read the specified files, demonstrating the vulnerability.

Remediation

Users can update to OpenClaw version 2026.2.14 or later, where this vulnerability has been patched.