CVE-2026-27487 Overview
CVE-2026-27487 is an OS command injection vulnerability in OpenClaw, a personal AI assistant application. In versions 2026.2.13 and below, the macOS-specific keychain credential refresh functionality constructs a shell command using user-controlled OAuth tokens when writing JSON data via security add-generic-password -w. Because OAuth tokens are user-controlled data passed directly into shell commands, an attacker could craft a malicious OAuth token payload to execute arbitrary system commands with the privileges of the OpenClaw process.
Critical Impact
This command injection vulnerability allows attackers to execute arbitrary commands on macOS systems running vulnerable versions of OpenClaw, potentially leading to complete system compromise, data exfiltration, or persistent access.
Affected Products
- OpenClaw versions 2026.2.13 and below (Node.js)
- Apple macOS (platform dependency)
- OpenClaw CLI credential management components
Discovery Timeline
- February 21, 2026 - CVE-2026-27487 published to NVD
- February 23, 2026 - Last updated in NVD database
Technical Details for CVE-2026-27487
Vulnerability Analysis
This command injection vulnerability (CWE-78) exists in OpenClaw's credential management module responsible for storing OAuth tokens in the macOS Keychain. The vulnerable code path utilized Node.js execSync to execute shell commands, concatenating user-controlled OAuth token data directly into the command string. This architectural flaw means that any attacker who can influence the OAuth token content—whether through a malicious OAuth provider, man-in-the-middle attack, or compromised authentication flow—could inject shell metacharacters and execute arbitrary commands on the target system.
The vulnerability specifically affects the writeClaudeCliKeychainCredentials function in src/agents/cli-credentials.ts, where the shell command construction failed to properly sanitize or escape the credential data before execution.
Root Cause
The root cause is the use of execSync with string-based shell command construction instead of the safer execFileSync with argument arrays. When OAuth credentials are passed directly into a shell command string, shell metacharacters such as backticks, semicolons, or command substitution syntax ($()) embedded in the token data are interpreted and executed by the shell.
The vulnerable pattern involved:
- Using execSync which invokes a shell interpreter
- Constructing command strings via template literals with unsanitized user data
- Passing OAuth tokens (user-controlled) directly into shell commands
Attack Vector
An attacker could exploit this vulnerability through several scenarios:
- Malicious OAuth Provider: Setting up a rogue OAuth provider that returns crafted access tokens containing shell injection payloads
- Token Interception: Intercepting and modifying OAuth tokens during the authentication flow
- Social Engineering: Tricking users into authenticating with a malicious service that returns weaponized tokens
When the OpenClaw CLI attempts to refresh and store these credentials, the injected commands execute with the user's privileges, potentially allowing full system compromise.
The following code shows the security patch that addresses this vulnerability by switching from shell-based execSync to the safer execFileSync with explicit argument arrays:
export function writeClaudeCliKeychainCredentials(
newCredentials: OAuthCredentials,
- options?: { execSync?: ExecSyncFn; execFileSync?: ExecFileSyncFn },
+ options?: { execFileSync?: ExecFileSyncFn },
): boolean {
- const execSyncImpl = options?.execSync ?? execSync;
const execFileSyncImpl = options?.execFileSync ?? execFileSync;
try {
- const existingResult = execSyncImpl(
- `security find-generic-password -s "${CLAUDE_CLI_KEYCHAIN_SERVICE}" -w 2>/dev/null`,
+ const existingResult = execFileSyncImpl(
+ "security",
+ ["find-generic-password", "-s", CLAUDE_CLI_KEYCHAIN_SERVICE, "-w"],
{ encoding: "utf8", timeout: 5000, stdio: ["pipe", "pipe", "pipe"] },
);
Source: GitHub Commit Update
Detection Methods for CVE-2026-27487
Indicators of Compromise
- Unusual security command executions with suspicious parameters or chained shell commands
- Unexpected child processes spawned by OpenClaw/Node.js processes on macOS
- OAuth token values containing shell metacharacters (;, |, $(), backticks)
- Anomalous keychain access patterns or rapid credential refresh attempts
- Network connections to unknown OAuth providers or authentication endpoints
Detection Strategies
- Monitor process execution chains for security binary invocations with malformed or suspicious arguments
- Implement endpoint detection rules for shell command injection patterns in Node.js process arguments
- Analyze OAuth token content for shell metacharacters during authentication flows
- Deploy behavioral analysis to detect anomalous command execution following keychain operations
Monitoring Recommendations
- Enable audit logging for macOS security command usage and Keychain access events
- Configure SentinelOne to alert on suspicious process trees originating from Node.js/OpenClaw processes
- Monitor for base64-encoded or obfuscated payloads in OAuth token fields
- Implement network monitoring for OAuth flows to detect token tampering or suspicious providers
How to Mitigate CVE-2026-27487
Immediate Actions Required
- Upgrade OpenClaw to version 2026.2.14 or later immediately
- Audit existing OAuth tokens for any suspicious content or shell metacharacters
- Review macOS system logs for any evidence of exploitation
- Consider temporarily disabling the keychain credential storage functionality if upgrade is not immediately possible
- Verify OAuth provider configurations and ensure only trusted providers are authorized
Patch Information
OpenClaw has released version 2026.2.14 which addresses this vulnerability by replacing execSync with execFileSync and using explicit argument arrays instead of shell string interpolation. This eliminates the shell interpretation layer entirely, preventing command injection regardless of token content.
The fix is available through:
Workarounds
- Disable automatic keychain credential storage and manage tokens manually
- Use an alternative credential storage mechanism that doesn't involve shell execution
- Implement input validation at the application layer to reject tokens containing shell metacharacters
- Run OpenClaw in a sandboxed environment with restricted shell access
# Verify your OpenClaw version
openclaw --version
# Upgrade to patched version
npm update openclaw@2026.2.14
# If using yarn
yarn upgrade openclaw@2026.2.14
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
