CVE-2026-22175 Overview
OpenClaw versions prior to 2026.2.23 contain an exec approval bypass vulnerability (CWE-184: Incomplete List of Disallowed Inputs) in allowlist mode where allow-always grants could be circumvented through unrecognized multiplexer shell wrappers. This authorization bypass flaw affects the Node.js implementation of OpenClaw, allowing attackers to invoke arbitrary payloads by exploiting gaps in the execution allowlist validation logic.
The vulnerability stems from improper handling of multiplexer shell wrappers such as busybox and toybox sh -c commands. When these wrappers are used to execute commands, the allowlist mechanism fails to properly recognize and validate them, enabling attackers to satisfy stored allowlist rules while executing unintended payloads.
Critical Impact
Attackers can bypass execution restrictions intended to prevent unauthorized command execution, potentially leading to arbitrary command execution within the context of the OpenClaw application.
Affected Products
- OpenClaw versions prior to 2026.2.23
- OpenClaw for Node.js (all versions before the security patch)
- Systems utilizing OpenClaw allowlist mode with allow-always grants
Discovery Timeline
- 2026-03-18 - CVE-2026-22175 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2026-22175
Vulnerability Analysis
This vulnerability represents an authorization bypass condition where the exec approval mechanism in OpenClaw fails to account for all possible command execution pathways. The root issue lies in the incomplete list of disallowed inputs (CWE-184), specifically related to multiplexer shell wrappers that were not anticipated in the original allowlist design.
When OpenClaw operates in allowlist mode with allow-always grants configured, it maintains a list of approved execution patterns. However, the validation logic does not properly recognize certain multiplexer shell wrappers as execution vectors. This creates a gap where commands executed through these wrappers can satisfy the stored allowlist rules while actually executing entirely different payloads than what was originally approved.
The vulnerability can be exploited over the network by authenticated users with low privileges. While confidentiality is not directly impacted, the integrity impact is high as attackers can execute unauthorized commands, and there is a low availability impact potential.
Root Cause
The root cause is an incomplete validation mechanism in the exec approval system. The allowlist implementation fails to recognize and properly handle multiplexer shell wrappers like busybox and toybox. When a command is wrapped in these multiplexer utilities using sh -c syntax, the allowlist comparison logic treats the wrapper command as the executed command rather than analyzing the actual payload being executed.
This creates a scenario where an attacker can craft commands that technically match an existing allowlist entry (based on the wrapper) while the actual executed payload is arbitrary and unauthorized. The stored allow-always grants become ineffective as they can be satisfied by any command using the same multiplexer wrapper pattern.
Attack Vector
The attack vector is network-based and requires low privileges to exploit. An attacker with access to invoke commands through OpenClaw can exploit this vulnerability by:
- Identifying an existing allow-always grant that uses a multiplexer shell wrapper
- Crafting a malicious command using the same wrapper pattern (e.g., busybox sh -c or toybox sh -c)
- Submitting the crafted command which satisfies the allowlist rule based on the wrapper
- Achieving execution of arbitrary payloads that were never explicitly approved
The vulnerability allows attackers to invoke arbitrary payloads under the same multiplexer wrapper to satisfy stored allowlist rules, completely bypassing the intended execution restrictions that OpenClaw's allowlist mode is designed to enforce.
Detection Methods for CVE-2026-22175
Indicators of Compromise
- Unexpected command executions involving busybox sh -c or toybox sh -c patterns in OpenClaw logs
- Execution of commands that do not match the intended allow-always grant purposes
- Anomalous command patterns where the actual executed payload differs from historical approved patterns
- Evidence of command injection attempts using multiplexer shell wrapper syntax
Detection Strategies
- Monitor OpenClaw execution logs for commands utilizing multiplexer shell wrappers (busybox, toybox)
- Implement behavioral analysis to detect command executions that differ from baseline approved patterns
- Deploy runtime application security monitoring to identify allowlist bypass attempts
- Review allow-always grants for patterns that could be exploited through wrapper manipulation
Monitoring Recommendations
- Enable verbose logging in OpenClaw to capture full command execution details
- Implement alerting for any execution involving multiplexer utilities in allowlist mode
- Establish baseline execution patterns and alert on deviations
- Integrate OpenClaw logs with SIEM solutions for correlation with other security events
How to Mitigate CVE-2026-22175
Immediate Actions Required
- Upgrade OpenClaw to version 2026.2.23 or later immediately
- Review all existing allow-always grants for potential exploitation via multiplexer wrappers
- Audit recent execution logs for signs of exploitation attempts
- Consider temporarily disabling allowlist mode if immediate patching is not possible
Patch Information
A security patch has been released by the OpenClaw maintainers to address this vulnerability. The fix is available in version 2026.2.23 and includes improved handling of multiplexer shell wrappers in the allowlist validation logic.
The security advisory and patch details are available at:
Additional technical analysis is available from VulnCheck Advisory.
Workarounds
- Avoid using allow-always grants that involve shell wrapper patterns until patched
- Implement additional validation layers outside of OpenClaw's native allowlist mechanism
- Restrict access to OpenClaw command execution interfaces to trusted users only
- Deploy network segmentation to limit the attack surface for authenticated users
# Upgrade OpenClaw to patched version
npm update openclaw@2026.2.23
# Verify installed version
npm list openclaw
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
