CVE-2026-28460
HIGHOpenClaw < 2026.2.22 - Allowlist Bypass via Shell Line-Continuation Command Substitution in system.run
Title source: cnaDescription
OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in system.run that allows attackers to execute non-allowlisted commands by splitting command substitution using shell line-continuation characters. Attackers can bypass security analysis by injecting $\\ followed by a newline and opening parenthesis inside double quotes, causing the shell to fold the line continuation into executable command substitution that circumvents approval boundaries.
References (3)
Core 3
Core References
Third Party Advisory third-party-advisory
GitHub Security Advisory (GHSA-9868-vxmx-w862)
https://github.com/openclaw/openclaw/security/advisories/GHSA-9868-vxmx-w862
Patch patch
Patch Commit
https://github.com/openclaw/openclaw/commit/3f0b9dbb36c86e308267924c0d3d4a4e1fc4d1e9
Third Party Advisory third-party-advisory
VulnCheck Advisory: OpenClaw < 2026.2.22 - Allowlist Bypass via Shell Line-Continuation Command Substitution in system.run
https://www.vulncheck.com/advisories/openclaw-allowlist-bypass-via-shell-line-continuation-command-substitution-in-system-run
Scores
CVSS v3
7.1
EPSS
0.0044
EPSS Percentile
34.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-78
Status
published
Products (3)
npm/openclaw
0 - 2026.2.22npm
OpenClaw/OpenClaw
< 2026.2.22
openclaw/openclaw
< 2026.2.22
Published
Mar 19, 2026
Tracked Since
Mar 19, 2026