GHSA-mhq8-78pj-5j79: OpenClaw's POSIX node system.run safe-bin allowlist could be widened by shell expansion
Summary
On POSIX nodes, OpenClaw's system.run safe-bin checks could approve a command before shell expansion changed how the command was interpreted. A value that appeared to be a safe-bin argument could expand into additional shell words and become a file operand.
This issue is limited to paired POSIX node execution through system.run with safe-bin or allowlist-style auto-approval. It is not an unauthenticated node takeover.
Affected configurations
This affects deployments where:
- a POSIX node is paired to the gateway
- system.run is reachable by an authenticated operator or agent flow
- exec policy uses safe-bin or allowlist-based auto-approval
- the approved command contains shell-expanded values that can change argv shape
Impact
A lower-privilege operator flow could cause an approved safe-bin command to read a node-local file that was not intended by the policy. Depending on the local files available to the node process, this could expose OpenClaw configuration data or other node-local information.
The issue is a policy-enforcement gap in argv validation, not a general statement that every safe-bin command is unsafe.
Patched Versions
The first stable patched version is 2026.5.18.
Mitigations
Upgrade to openclaw@2026.5.18 or later. Before upgrading, avoid broad safe-bin auto-approval for commands that can read arbitrary paths, and prefer explicit approval for node commands that touch local files.
Details
Original advisory: https://github.com/advisories/GHSA-mhq8-78pj-5j79
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10