CVE-2026-22168 Overview
OpenClaw versions prior to 2026.2.21 contain an approval-integrity mismatch vulnerability in system.run that allows authenticated operators to execute arbitrary trailing arguments after cmd.exe /c while approval text reflects only a benign command. This command injection vulnerability enables attackers to smuggle malicious arguments through cmd.exe /c to achieve local command execution on trusted Windows nodes with mismatched audit logs.
Critical Impact
Authenticated operators can bypass approval workflows and execute arbitrary commands on Windows nodes while audit logs only record benign approved commands, effectively creating an invisible execution channel that undermines security monitoring and compliance.
Affected Products
- OpenClaw versions prior to 2026.2.21
- OpenClaw Node.js package (cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*)
Discovery Timeline
- 2026-03-18 - CVE-2026-22168 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2026-22168
Vulnerability Analysis
This vulnerability stems from an approval-integrity mismatch in OpenClaw's system.run functionality. The core issue lies in how the system processes and validates command execution requests versus what gets recorded in approval workflows.
When an authenticated operator submits a command for execution, the approval mechanism validates and logs a sanitized representation of the command. However, the actual execution path allows additional trailing arguments to be appended after cmd.exe /c, creating a dangerous disconnect between what is approved and what is actually executed.
This architectural flaw enables attackers with valid operator credentials to craft requests where the approval text shows an innocuous command like cmd.exe /c dir, while the actual execution includes malicious payloads such as arbitrary PowerShell commands, file downloads, or system modifications. The audit trail remains clean, showing only the benign approved command.
Root Cause
The root cause is classified under CWE-88 (Improper Neutralization of Argument Delimiters in a Command). The vulnerable code failed to properly validate that the command being executed exactly matches the command that was approved. The formatExecCommand and validateSystemRunCommandConsistency functions did not adequately prevent argument injection when commands were passed through cmd.exe /c.
The security patch introduces a new resolveSystemRunCommand function with a ResolvedSystemRunCommand type that ensures consistent handling of command arguments. This new approach returns a structured object containing argv, rawCommand, shellCommand, and cmdText fields, enabling proper validation that the executed command matches the approved command text.
Attack Vector
The attack is network-accessible and requires low-privilege authentication as an operator. An attacker with valid operator credentials can exploit the approval workflow mismatch to execute arbitrary commands on Windows nodes running the OpenClaw gateway. The vulnerability is particularly dangerous because:
- It requires minimal complexity to exploit
- It bypasses approval workflows designed to prevent unauthorized execution
- It leaves clean audit logs that mask malicious activity
- It can be used to establish persistence or lateral movement while evading detection
// Security patch from src/infra/system-run-command.ts
// Source: https://github.com/openclaw/openclaw/commit/6007941f04df1edcca679dd6c95949744fdbd4df
export type ResolvedSystemRunCommand =
| {
ok: true;
argv: string[];
rawCommand: string | null;
shellCommand: string | null;
cmdText: string;
}
| {
ok: false;
message: string;
details?: Record<string, unknown>;
};
The fix introduces a strict type that ensures command resolution returns either a fully validated command structure or an explicit error, preventing the argument smuggling that enabled this vulnerability.
Detection Methods for CVE-2026-22168
Indicators of Compromise
- Unusual cmd.exe process spawning from OpenClaw gateway services with unexpected child processes
- Discrepancies between approved commands in OpenClaw audit logs and actual process command lines observed in Windows event logs
- Commands containing multiple argument separators or shell metacharacters in system.run requests
- Network connections from OpenClaw-managed Windows nodes to unexpected external destinations following command execution
Detection Strategies
- Deploy endpoint detection rules to compare OpenClaw approval logs against Windows process creation events (Event ID 4688) for command line mismatches
- Implement SIEM correlation rules that flag when cmd.exe /c executions contain significantly more arguments than recorded in approval workflows
- Monitor for suspicious command patterns in process telemetry including encoded PowerShell, download cradles, or persistence mechanisms
- Enable verbose logging on OpenClaw gateway nodes to capture full command resolution details
Monitoring Recommendations
- Configure SentinelOne to alert on cmd.exe spawning with unusually long command lines from Node.js-based services
- Establish baseline behavior for legitimate system.run operations and alert on deviations
- Monitor Windows nodes managed by OpenClaw for signs of unauthorized command execution including new scheduled tasks, services, or registry modifications
- Review OpenClaw gateway logs for patterns of repeated command submissions with similar approval text but different execution outcomes
How to Mitigate CVE-2026-22168
Immediate Actions Required
- Upgrade OpenClaw to version 2026.2.21 or later immediately on all production systems
- Audit recent system.run approvals and compare against actual process execution logs to identify potential exploitation
- Temporarily restrict operator access to system.run functionality if immediate patching is not possible
- Enable enhanced logging on OpenClaw gateways and Windows nodes to capture detailed command execution telemetry
Patch Information
The vulnerability is addressed in OpenClaw version 2026.2.21 through commit 6007941f. The fix refactors the system.run command resolution to use a new resolveSystemRunCommand function that ensures consistency between approved and executed commands.
For detailed information about the vulnerability and fix, refer to:
Workarounds
- Disable the system.run capability entirely until patching is complete by modifying gateway configuration
- Implement network segmentation to limit which nodes can receive system.run commands from the gateway
- Deploy application-level firewalling to restrict cmd.exe execution patterns on managed Windows nodes
- Require multi-party approval for any system.run operations until the patch is deployed
# Verify OpenClaw version after upgrade
openclaw --version
# Expected output: 2026.2.21 or higher
# Review recent system.run audit logs for anomalies
openclaw audit list --type system.run --since 2026-03-01
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
