Listen to this Post
OpenClaw’s `system.run` allowlist analysis failed to respect POSIX shell comment semantics when determining allow-always persistence entries . In `security=allowlist` mode, a caller who received an allow-always decision could submit a shell command where the actual payload was hidden behind an unquoted symbol . At runtime, the shell would correctly treat the as a comment and execute only the benign prefix, ignoring the malicious tail . However, the allowlist persistence mechanism incorrectly analyzed and stored the entire command, including the non-executed tail, as a trusted command for future executions . This created a mismatch between what was analyzed for trust (the full command with the malicious part) and what actually ran (only the safe prefix) . The vulnerability allowed an attacker to poison the allowlist by submitting a command where a dangerous payload was syntactically a comment . The fix implemented on March 7, 2026, in commit `939b184` teaches the shell tokenization and chain/pipeline analysis to stop at unquoted shell comments . This ensures that allow-always persistence now tracks only the commands the shell can actually execute, while normal real chained commands and quoted literals continue to work as expected .
Platform: OpenClaw (npm)
Version: <= 2026.3.2
Vulnerability: Allowlist Comment Bypass
Severity: Medium
Date: March 8, 2026
<h2 style="color: blue;">Prediction: March 7, 2026</h2>
<h2 style="color: blue;">What Undercode Say</h2>
<h2 style="color: blue;">Analytics</h2>
To detect if your system has been targeted by this CVE, analyze `system.run` logs for commands containing unquoted hash symbols. The following command helps identify potential exploitation attempts where a benign command is used to poison the allowlist with a hidden payload.
Search logs for system.run invocations with comments
grep -E "system\.run.." /var/log/openclaw/audit.log | awk '{print $1, $2, $NF}'
For deeper analysis, compare the allowlist database against actual execution logs to find discrepancies where a stored allow-always entry was never fully executed.
Extract allow-always entries from the database sqlite3 /var/lib/openclaw/allowlist.db "SELECT command FROM allow_always WHERE command LIKE '%%';"
<h2 style="color: blue;">How Exploit</h2>
An attacker can exploit this by crafting a command that appears safe to the allowlist analyzer but only executes a harmless prefix at runtime. The example below shows how a malicious payload (`rm -rf /`) is hidden behind a comment and would be incorrectly trusted.
Malicious command submission system.run --security=allowlist "safe_command && rm -rf /"
The `system.run` handler receives this command. The allowlist analyzer sees and trusts the entire string, storing `safe_command && rm -rf /` as an allow-always entry. When the command executes, the shell runs only `safe_command`, ignoring everything after. The system is now poisoned, as the dangerous payload `&& rm -rf /` is stored in the allowlist for future use.
Protection from this CVE
Ensure OpenClaw is updated to version 2026.3.7 or later, which includes the fix in commit 939b184. To verify the patch is applied, check the commit hash in your installation.
Verify the patch is installed cd /path/to/openclaw && git log --oneline -n 1 | grep "939b184"
If you cannot immediately upgrade, implement strict input validation to reject any `system.run` commands containing unquoted hash symbols.
Reject commands with unquoted comments echo "$COMMAND" | grep -qE '^[^"][^"]$' && echo "Potential exploit blocked" && exit 1
Impact
The primary impact is the corruption of the allow-always persistence mechanism . An attacker can inject arbitrary, non-executed payloads into the trusted command list . While the malicious code does not run immediately, it becomes part of the trusted database. If the vulnerability in comment parsing is later combined with another flaw, or if the system’s command execution logic changes, the stored payload could become executable, leading to remote code execution . This undermines the integrity of the entire allowlist-based security model .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

