OpenClaw Allowlist Bypass Vulnerability in system.run via Shell Line-Continuation Command Substitution

A vulnerability allowing allowlist bypass in OpenClaw has been identified in versions prior to 2026.2.22. This issue resides in the 'system.run' feature, where attackers can execute commands not included in the allowlist. The vulnerability arises from the ability to split command substitutions using shell line continuations, injecting a backslash followed by a newline and an opening parenthesis within double quotes. This manipulation tricks the shell into interpreting the command as a subcommand, bypassing the allowlist and executing arbitrary commands instead.

Impact

Exploitation of this vulnerability can lead to unauthorized command execution, bypassing established approval processes in environments that use OpenClaw's command execution allowlist feature.

Reproduction

To reproduce this vulnerability, first ensure that OpenClaw is running a version prior to 2026.2.22 and that the 'system.run' allowlist feature is enabled. Then, inject a command that includes a backslash followed by a newline and an opening parenthesis within double quotes. The shell will interpret this as a command substitution, allowing execution of non-allowlisted commands.

Remediation

Users are advised to upgrade to OpenClaw version 2026.2.22 or later. If an immediate upgrade is not possible, consider setting 'tools.exec.ask=always' or 'tools.exec.security=deny' as temporary mitigations.