OpenClaw, Approval Bypass, CVE-2026-1234 (High)

Listen to this Post

OpenClaw’s `system.run` function includes a security feature for “allowlist” mode, which is designed to require explicit approval before executing certain shell commands. This feature uses a “shell-wrapper” detection mechanism to identify when a command is being wrapped by an interpreter like `pwsh` or powershell. The vulnerability existed because this detection logic did not recognize the PowerShell flags -EncodedCommand, -enc, or `-e` as indicators of an inline command. When a caller with access to `system.run` invoked PowerShell using one of these encoded command flags, the request bypassed the shell-wrapper approval path and fell back to a simpler “plain argv analysis.” This analysis did not trigger the additional approval step that a standard `-Command` invocation would require. Consequently, an attacker could supply a base64-encoded PowerShell payload that would execute without the necessary administrative oversight. The issue affects all npm versions up to 2026.3.2. The vulnerability was fixed on the main branch on March 7, 2026, in commit 1d1757b16f48f1a93cd16ab0ad7e2c3c63ce727d. The fix involves updating the shell-wrapper parser to recognize encoded command aliases, ensuring that even these obfuscated commands must pass through the standard approval workflow in allowlist mode.

dailycve form:

Platform: OpenClaw (npm)
Version: <=2026.3.2
Vulnerability: Approval Bypass
Severity: High
date: 2026-03-09

Prediction: 2026-03-16

What Undercode Say:

Analytics:

This vulnerability bypasses a core security control in allowlist mode. It exploits a gap in argument parsing, treating encoded commands as less suspicious than plain-text ones. The fix required enhancing the shell-wrapper detector to include all PowerShell execution aliases. Users running versions up to `2026.3.2` with `system.run` in allowlist mode are impacted. Immediate upgrade to `2026.3.7` or later is recommended.

Bash Commands and Codes:

Check current OpenClaw version
npm list openclaw
Example of a vulnerable command that would bypass approval
(Hypothetical - demonstrates the concept)
node -e "require('openclaw').system.run('pwsh -EncodedCommand ZWNobyAiSGFja2VkIg==')"
Command to test if your system is vulnerable (run in a test environment)
This simulates a call that should be blocked but might not be in vulnerable versions.
curl -X POST http://localhost:18789/api/system/run \
-H "Content-Type: application/json" \
-d '{"command": "pwsh", "args": ["-EncodedCommand", "ZWNobyAiVnVsbmVyYWJsZSI="]}'
Update to the patched version
npm install [email protected]
Verify the installed version is patched
npm list openclaw | grep openclaw
Check the git commit to see the fix (if you have the source)
git log --oneline | grep 1d1757b

How Exploit:

An attacker with the ability to call `system.run` crafts a command string that uses PowerShell with the `-EncodedCommand` argument. The payload is base64-encoded to avoid simple string inspection. The vulnerable OpenClaw version fails to classify this as a shell-wrapper that requires approval, allowing the base64-decoded PowerShell code to execute directly on the host system.

Protection from this CVE:

  • Immediate Upgrade: Update the `openclaw` npm package to version `2026.3.7` or later.
  • Verify Patch: Ensure the update is applied and the gateway service is restarted.
  • Principle of Least Privilege: Review and restrict which users or internal processes have access to the `system.run` function.
  • Monitor Logs: For versions prior to the patch, audit logs for unexpected PowerShell invocations using encoded commands.

Impact:

  • Security Control Bypass: The primary impact is the circumvention of the allowlist approval mechanism.
  • Arbitrary Code Execution: By bypassing approval, an attacker can execute arbitrary PowerShell commands, leading to potential system compromise.
  • Privilege Escalation: If `system.run` runs with elevated privileges, the attacker’s code will execute with those same high privileges.
  • Data Exfiltration: The attacker could use PowerShell to read sensitive files, access environment variables, or reach internal network resources.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top