CVE-2026-22179 Overview
CVE-2026-22179 is a command injection vulnerability (CWE-78) affecting OpenClaw versions prior to 2026.2.22 in the macOS node-host system.run component. The vulnerability stems from an allowlist bypass that enables remote attackers to execute non-allowlisted commands by exploiting improper parsing of command substitution tokens. Attackers can craft shell payloads with command substitution syntax within double-quoted text to bypass security restrictions and execute arbitrary commands on the system.
Critical Impact
Remote attackers can bypass command allowlist restrictions to execute arbitrary commands on affected macOS systems running vulnerable OpenClaw versions, potentially leading to complete system compromise.
Affected Products
- OpenClaw versions prior to 2026.2.22
- OpenClaw Node.js macOS installations
- Systems using OpenClaw node-host system.run functionality
Discovery Timeline
- 2026-03-18 - CVE-2026-22179 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2026-22179
Vulnerability Analysis
This vulnerability exists in OpenClaw's command execution resolution logic within the macOS implementation. The core issue lies in the ExecCommandResolution.swift file, which failed to properly validate command substitution syntax when processing double-quoted shell strings. While the original implementation checked for shell substitution patterns in unquoted contexts, it neglected to apply the same security controls to content within double-quoted text.
The vulnerability allows attackers to embed command substitution tokens (such as $(...) or backtick notation) inside double-quoted strings, effectively bypassing the allowlist mechanism designed to restrict which commands can be executed through the system.run interface.
Root Cause
The root cause of CVE-2026-22179 is improper input validation in the command allowlist checking mechanism. The original code only invoked shouldFailClosedForUnquotedShell() when the parser was outside both single and double quotes (!inSingle, !inDouble). This created a security gap where command substitution patterns embedded within double-quoted strings would not trigger the fail-closed security check, allowing malicious commands to pass through the allowlist filter undetected.
Attack Vector
The attack vector is network-based, requiring the attacker to have elevated privileges to interact with the OpenClaw node-host system.run interface. Once access is obtained, an attacker can craft a malicious payload containing command substitution syntax enclosed in double quotes. When this payload is processed by the vulnerable allowlist checking code, the embedded commands bypass security validation and are executed with the privileges of the OpenClaw process.
The security patch addresses this by introducing shouldFailClosedForShell() which is invoked regardless of double-quote context, ensuring command substitution detection applies uniformly:
continue
}
+ if !inSingle, self.shouldFailClosedForShell(ch: ch, next: next) {
+ // Fail closed on command/process substitution in allowlist mode,
+ // including inside double-quoted shell strings.
+ return nil
+ }
+
if !inSingle, !inDouble {
- if self.shouldFailClosedForUnquotedShell(ch: ch, next: next) {
- // Fail closed on command/process substitution in allowlist mode.
- return nil
- }
let prev: Character? = idx > 0 ? chars[idx - 1] : nil
if let delimiterStep = self.chainDelimiterStep(ch: ch, prev: prev, next: next) {
guard appendCurrent() else { return nil }
Source: GitHub Commit Update
Detection Methods for CVE-2026-22179
Indicators of Compromise
- Unusual shell commands executed by OpenClaw processes containing $(...) or backtick substitution patterns
- Log entries showing system.run invocations with double-quoted strings containing embedded shell metacharacters
- Unexpected child processes spawned from OpenClaw node-host on macOS systems
Detection Strategies
- Monitor OpenClaw process activity for unexpected command executions, particularly those containing shell substitution syntax
- Implement application-layer logging to capture all system.run invocations and flag those with suspicious patterns
- Deploy endpoint detection rules that alert on command injection patterns within OpenClaw process context
Monitoring Recommendations
- Enable verbose logging for OpenClaw node-host operations on macOS systems
- Configure SIEM alerts for command substitution patterns ($(, backticks) in process command lines associated with OpenClaw
- Establish baseline behavior for OpenClaw command execution and alert on deviations
How to Mitigate CVE-2026-22179
Immediate Actions Required
- Upgrade OpenClaw to version 2026.2.22 or later immediately
- Audit systems for any signs of exploitation prior to patching
- Restrict network access to OpenClaw node-host interfaces where possible
- Review and minimize privileges granted to OpenClaw processes
Patch Information
The vulnerability has been addressed in OpenClaw version 2026.2.22. The fix modifies the ExecCommandResolution.swift file to check for command substitution patterns regardless of quote context, ensuring the fail-closed security mechanism applies uniformly. The patch is available via the GitHub Commit Update. Additional details can be found in the GitHub Security Advisory GHSA-9p38-94jf-hgjj.
Workarounds
- Implement network-level access controls to restrict who can interact with OpenClaw system.run endpoints
- Deploy web application firewall rules to detect and block command substitution patterns in requests
- Consider temporarily disabling the system.run functionality if not critical to operations until patching is complete
# Verify OpenClaw version to confirm patch status
openclaw --version
# Expected output for patched version: 2026.2.22 or higher
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
