OpenClaw Approval Gating Bypass Vulnerability in System.run Allowlist Mode
Vulnerability
A vulnerability exists in OpenClaw versions prior to 2026.2.24, allowing an approval gating bypass in system.run allowlist mode. This issue arises because nested transparent dispatch wrappers can suppress shell-wrapper detection. Attackers can exploit this vulnerability by chaining multiple dispatch wrappers, such as repeated '/usr/bin/env', to execute '/bin/sh -c' commands without triggering the required approval prompt in allowlist plus ask=on-miss configurations.
Impact
Exploiting this vulnerability bypasses the expected approval prompt for shell execution, allowing commands to be executed without proper authorization.
Reproduction
The vulnerability can be reproduced by creating a command that includes nested dispatch wrappers, such as '/usr/bin/env', and then invoking this command through the system.run function while the security is set to allowlist. This can be done by chaining the dispatch wrappers to suppress the shell-wrapper detection, taking advantage of the depth-cap mismatch that allows the approval gating to be bypassed.
Remediation
Users can update to OpenClaw version 2026.2.24 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.