VDB
KO
HIGH 7.1

GHSA-mhq8-78pj-5j79

OpenClaw's POSIX node system.run safe-bin allowlist could be widened by shell expansion

Details

### Summary

On POSIX nodes, OpenClaw's `system.run` safe-bin checks could approve a command before shell expansion changed how the command was interpreted. A value that appeared to be a safe-bin argument could expand into additional shell words and become a file operand.

This issue is limited to paired POSIX node execution through `system.run` with safe-bin or allowlist-style auto-approval. It is not an unauthenticated node takeover.

### Affected configurations

This affects deployments where:

- a POSIX node is paired to the gateway - `system.run` is reachable by an authenticated operator or agent flow - exec policy uses safe-bin or allowlist-based auto-approval - the approved command contains shell-expanded values that can change argv shape

### Impact

A lower-privilege operator flow could cause an approved safe-bin command to read a node-local file that was not intended by the policy. Depending on the local files available to the node process, this could expose OpenClaw configuration data or other node-local information.

The issue is a policy-enforcement gap in argv validation, not a general statement that every safe-bin command is unsafe.

### Patched Versions

The first stable patched version is `2026.5.18`.

### Mitigations

Upgrade to `openclaw@2026.5.18` or later. Before upgrading, avoid broad safe-bin auto-approval for commands that can read arbitrary paths, and prefer explicit approval for node commands that touch local files.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / openclaw
Introduced in: 0 Fixed in: 2026.5.18
Fix npm install openclaw@2026.5.18

References