CVE-2026-22169 Overview
OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability (CWE-78: OS Command Injection) in the safeBins configuration that allows attackers to invoke external helpers through the compress-program option. When sort is explicitly added to tools.exec.safeBins, remote attackers can bypass intended safe-bin approval constraints by leveraging the --compress-program parameter to execute unauthorized external programs.
Critical Impact
This vulnerability enables attackers to bypass security controls designed to restrict external program execution, potentially leading to arbitrary command execution on affected Node.js systems running vulnerable OpenClaw versions.
Affected Products
- OpenClaw versions prior to 2026.2.22
- OpenClaw Node.js package (cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*)
Discovery Timeline
- 2026-03-18 - CVE-2026-22169 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2026-22169
Vulnerability Analysis
This vulnerability represents a command injection flaw that exploits a gap in OpenClaw's safeBins allowlist implementation. The safeBins feature is designed to restrict which external binaries can be invoked by the application, creating a security boundary between the Node.js application and the underlying operating system.
The root of the issue lies in how the sort command was validated when added to the allowlist. While sort itself may be considered safe, it accepts a --compress-program flag that can specify an arbitrary external program to handle compression of temporary files during sorting operations. This creates an indirect execution path that completely bypasses the intended security restrictions.
Root Cause
The vulnerability exists in the exec-safe-bin-policy.ts file, which defines the allowed arguments for safeBins entries. The --compress-program parameter was mistakenly included in the list of acceptable arguments for the sort command. This parameter accepts an arbitrary program path, which is then executed by sort with elevated context—effectively creating a command injection vector that circumvents the safeBins allowlist mechanism entirely.
Attack Vector
This is a local attack vector requiring the attacker to have some level of access to influence the parameters passed to the sort command. When an attacker can control or inject arguments to a sort invocation that includes --compress-program, they can specify a malicious program or script to be executed. The attack requires privileged access and some environmental prerequisites to be met, but successful exploitation results in complete compromise of confidentiality, integrity, and availability on the affected system.
// Security patch removing the --compress-program bypass vector
// Source: https://github.com/openclaw/openclaw/commit/57fbbaebca4d34d17549accf6092ae26eb7b605c
"--field-separator",
"--buffer-size",
"--temporary-directory",
- "--compress-program",
"--parallel",
"--batch-size",
"--random-source",
Source: GitHub Commit 57fbbaebca4d34d17549accf6092ae26eb7b605c
Detection Methods for CVE-2026-22169
Indicators of Compromise
- Unexpected process spawning from Node.js/OpenClaw processes, particularly child processes of sort commands
- Command-line arguments containing --compress-program in process execution logs
- Unusual external program executions following sort command invocations
- Evidence of shell scripts or binaries being invoked through compression program paths
Detection Strategies
- Monitor application logs for sort command invocations containing the --compress-program parameter
- Implement process monitoring to detect unexpected child processes spawned by the OpenClaw application
- Review safeBins configurations for the presence of sort in tools.exec.safeBins settings
- Audit command execution patterns for anomalous program execution chains
Monitoring Recommendations
- Enable verbose logging for command execution within OpenClaw applications
- Implement endpoint detection rules to alert on sort commands with --compress-program arguments
- Monitor for file system changes in temporary directories that may indicate exploitation attempts
- Review Node.js application behavior for unexpected subprocess creation patterns
How to Mitigate CVE-2026-22169
Immediate Actions Required
- Upgrade OpenClaw to version 2026.2.22 or later immediately
- Review current tools.exec.safeBins configurations and remove sort if not strictly required
- Audit application logs for any historical evidence of exploitation attempts
- Implement network segmentation to limit the impact of potential compromise
Patch Information
The vulnerability has been addressed in commit 57fbbaebca4d34d17549accf6092ae26eb7b605c, which removes --compress-program from the list of allowed arguments for the sort command in the safeBins policy. Users should update to OpenClaw version 2026.2.22 or later. Additional details are available in the GitHub Security Advisory GHSA-vmqr-rc7x-3446.
Workarounds
- Remove sort from the tools.exec.safeBins configuration if upgrading is not immediately possible
- Implement application-level input validation to filter --compress-program arguments before command execution
- Use container isolation or sandboxing to limit the impact of potential command injection
- Deploy Web Application Firewalls (WAF) or similar controls to inspect and block malicious request patterns
# Example: Review and modify safeBins configuration
# Check current safeBins settings in your OpenClaw configuration
grep -r "safeBins" ./config/
# Remove 'sort' from safeBins if present until patched
# In your tools.exec configuration, ensure sort is not listed:
# tools:
# exec:
# safeBins:
# - grep
# - head
# # - sort # REMOVE until patched to version 2026.2.22+
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
