In OpenClaw before 2026.2.23, tools.exec.safeBins validation for sort could be bypassed via GNU long-option abbreviations (such as --compress-prog) in allowlist mode, leading to approval-free execution paths that were intended to require approval. Only an exact string such as --compress-program was denied.
The validation mechanism of tools.exec.safeBins in allowlist mode checked only exact string matching — for example, it blocked the '--compress-program' option, but did not recognize its shortened equivalents compliant with GNU standard, such as '--compress-prog'. An attacker with regular user privileges could pass a shortened form of the option, which is functionally identical to the blocked one, but was not included in the blocked values list. As a result, the command was executed as if it had passed verification, bypassing the required approval process.
An authenticated attacker with low privileges can remotely execute commands that should require approval — potentially leading to system takeover, violation of data confidentiality and integrity, and disruption of service availability.
OpenClaw should be updated to version 2026.2.23 or newer. Details available in the vendor's official security advisory at: https://github.com/openclaw/openclaw/security/advisories/GHSA-3c6h-g97w-fg78
OpenClaw in versions before 2026.2.23
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HOpenclaw
APPOpenclaw< 2026.2.23
Related vulnerabilities
OpenClaw: ominięcie uwierzytelniania przez nieodświeżane tokeny bearer po rotacji SecretRef
OpenClaw: Authentication Bypass w trasie pomocniczej sandbox noVNC
OpenClaw: privilege escalation przez pominięcie zdarzeń async exec w heartbeat
OpenClaw: ekspozycja Chrome DevTools Protocol poza sandbox
OpenClaw — Auth Bypass w walidacji Feishu webhook umożliwia RCE