OpenClaw: When 'Safe' Binaries Bite Back

Vulnerability ID: GHSA-XVHF-X56F-2HPP
CVSS Score: 6.1
Published: 2026-02-18

A deep dive into an Argument Injection vulnerability in OpenClaw's safeBins mechanism. By failing to account for shell expansion, the validator allowed attackers to bypass allowlists using wildcards and variables, turning 'harmless' tools like head into arbitrary file readers.

TL;DR

OpenClaw allowed certain 'safe' binaries to run without strict checks, assuming they only processed stdin. However, because commands ran in a shell, attackers could use globbing (*) or variables ($VAR) to smuggle file arguments past the validator. The fix forces argument quoting.

⚠️ Exploit Status: POC

Technical Details

• Attack Vector: Argument Injection
• Impact: Information Disclosure / File Read
• Affected Component: tools.exec.safeBins validator
• CVE ID: GHSA-XVHF-X56F-2HPP
• Fixed Version: v2026.2.14
• Fix Commit: 77b89719d5b7e271f48b6f49e334a8b991468c3b

Affected Systems

• openclaw < v2026.2.14
• openclaw: < 2026.2.14 (Fixed in: v2026.2.14)

Code Analysis

Commit: 77b8971

fix(exec): quote safeBin arguments to prevent shell expansion

function shellEscapeSingleArg(value: string): string {
  const singleQuoteEscape = `'\''`;
  return `'${value.replace(/'/g, singleQuoteEscape)}'`;
}

Mitigation Strategies

• Upgrade to OpenClaw v2026.2.14
• Disable tools.exec.safeBins in configuration
• Use explicit allowlist entries instead of safeBins wildcards

Remediation Steps:

1. Check your package.json for openclaw version < 2026.2.14.
2. Run npm install openclaw@latest to update.
3. Verify that host exec allowlist is functioning by attempting to run head * in a test environment; it should now fail or treat * literally.

Read the full report for GHSA-XVHF-X56F-2HPP on our website for more details including interactive diagrams and full exploit analysis.