OpenClaw Authorization Bypass Vulnerability Allowing Remote Code Execution

A vulnerability allowing authorization bypass has been identified in OpenClaw versions prior to 2026.2.22. This issue arises from the persistence of wrapper-level allowlist entries in the 'allow-always' mode, which enables remote attackers to bypass approval checks. By approving benign wrapped 'system.run' commands, attackers can later execute different payloads without approval, leading to remote code execution on both gateway and node-host execution flows.

Impact

Exploiting this vulnerability can bypass authorization checks in allowlist mode, potentially allowing for approval-free execution of commands. This could lead to unauthorized command execution with the same privileges as the user running the OpenClaw node.

Reproduction

To reproduce this vulnerability, first approve a wrapped 'system.run' command with the 'allow-always' option in 'security=allowlist' mode. This will persist a wrapper-level allowlist entry. Afterward, the same wrapper can be used to execute different inner payloads without approval, effectively bypassing the authorization checks.

Remediation

Users are advised to upgrade to OpenClaw version 2026.2.22 or later. If an immediate upgrade is not possible, consider running with a stricter execution policy until the upgrade can be performed.