CVE-2026-27566

HIGH openclaw NVD

CVSS Score 7.1

Severity HIGH

Published Mar 19, 2026

Vendor openclaw

Description

OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in system.run exec analysis that fails to unwrap env and shell-dispatch wrapper chains. Attackers can route execution through wrapper binaries like env bash to smuggle payloads that satisfy allowlist entries while executing non-allowlisted commands.

References

https://github.com/openclaw/openclaw/commit/2b63592be57782c8946e521bc81286933f0f99c7
https://github.com/openclaw/openclaw/security/advisories/GHSA-jj82-76v6-933r
https://www.vulncheck.com/advisories/openclaw-allowlist-bypass-via-wrapper-binary-unwrapping-in-system-run