CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-mhq8-78pj-5j79: OpenClaw's POSIX node system.run safe-bin allowlist could be widened by shell expansion

highCVSS 7.1
Summary On POSIX nodes, OpenClaw's system.run safe-bin checks could approve a command before shell expansion changed how the command was interpreted. A value that appeared to be a safe-bin argument could expand into additional shell words and become a file operand. This issue is limited to paired POSIX node execution through system.run with safe-bin or allowlist-style auto-approval. It is not an unauthenticated node takeover. Affected configurations This affects deployments where: - a POSIX node is paired to the gateway - system.run is reachable by an authenticated operator or agent flow - exec policy uses safe-bin or allowlist-based auto-approval - the approved command contains shell-expanded values that can change argv shape Impact A lower-privilege operator flow could cause an approved safe-bin command to read a node-local file that was not intended by the policy. Depending on the local files available to the node process, this could expose OpenClaw configuration data or other node-local information. The issue is a policy-enforcement gap in argv validation, not a general statement that every safe-bin command is unsafe. Patched Versions The first stable patched version is 2026.5.18. Mitigations Upgrade to openclaw@2026.5.18 or later. Before upgrading, avoid broad safe-bin auto-approval for commands that can read arbitrary paths, and prefer explicit approval for node commands that touch local files.

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
high — CVSS 7.1
Published
2026-07-02
Last updated
2026-07-02
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-mhq8-78pj-5j79

More from GitHub Security Advisories