Listen to this Post
On POSIX nodes, OpenClaw’s `system.run` safe-bin checks evaluate a command’s safety before shell expansion alters its interpretation. This creates a time-of-check to time-of-use (TOCTOU) gap: the approval logic sees a benign argument (e.g., ".conf"), but the shell later expands that same token into multiple file operands. An authenticated operator or agent flow can therefore pass a command that appears to be a safe-bin argument but, after expansion, reads unintended node-local files.
The root cause lies in argv validation occurring prior to shell expansion. OpenClaw’s safe-bin or allowlist-style auto-approval trusts the pre-expansion argument vector, yet POSIX shells perform globbing, variable substitution, and word splitting after the fact. A value like `”/etc/openclaw/”` might be approved as a single argument, but the shell expands it into a list of file paths, effectively turning a seemingly safe command into a file read operation across arbitrary paths.
This issue is limited to paired POSIX node execution through `system.run` with safe-bin or allowlist-style auto-approval. It is not an unauthenticated node takeover; the attacker must already have authenticated operator or agent-level access to the gateway. The vulnerability affects deployments where:
– A POSIX node is paired to the gateway.
– `system.run` is reachable by an authenticated operator or agent flow.
– Exec policy uses safe-bin or allowlist-based auto-approval.
– The approved command contains shell-expanded values that can change argv shape.
A lower-privilege operator flow could cause an approved safe-bin command to read a node-local file not intended by policy, potentially exposing OpenClaw configuration data or other node-local information. The issue is a policy-enforcement gap in argv validation, not a general statement that every safe-bin command is unsafe. The first stable patched version is 2026.5.18.
DailyCVE Form:
Platform: ……. OpenClaw
Version: …….. < 2026.5.18
Vulnerability :…… Policy Enforcement Gap (Shell Expansion)
Severity: ……. Medium
date: ………. 2026-06-13
Prediction: …… 2026-05-18
What Undercode Say:
Analytics:
The vulnerability stems from the order of operations in system.run:
Safe-bin approval checks before shell expansion Approved: cat "/etc/openclaw/.conf" Shell expands to: cat /etc/openclaw/main.conf /etc/openclaw/agent.conf ...
To reproduce the behaviour:
Simulate the approval check (pre-expansion) echo "Approved: cat '/etc/openclaw/.conf'" Actual shell execution (post-expansion) bash -c "cat /etc/openclaw/.conf"
Exploit:
An authenticated operator can issue:
system.run --node posix-node-1 --command "cat /etc/openclaw/.conf"
If `cat` is in the safe-bin allowlist and the command is auto-approved, the shell expands the glob and reads all matching files, potentially exposing sensitive configuration.
Protection:
- Upgrade to `[email protected]` or later.
- Before upgrading, avoid broad safe-bin auto-approval for commands that can read arbitrary paths.
- Prefer explicit approval for node commands that touch local files.
- Use single quotes around arguments to prevent shell expansion where possible (e.g.,
'.conf').
Impact:
- Lower-privilege operator flows can read node-local files unintended by policy.
- Exposure of OpenClaw configuration data or other node-local information.
- Policy-enforcement gap in argv validation, not a general unsafe-bin issue.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

