CVE-2026-27487 Overview
CVE-2026-27487 is an operating system command injection vulnerability [CWE-78] in OpenClaw, a personal AI assistant that integrates with the Claude CLI. The flaw exists in versions 2026.2.13 and below when running on macOS. The Claude CLI keychain credential refresh path constructed a shell command to persist updated JSON credentials into Keychain using security add-generic-password -w .... Because OAuth tokens are user-controlled data and were embedded directly into the shell command string, an attacker who controls token content can inject arbitrary OS commands. The maintainers fixed the issue in version 2026.2.14.
Critical Impact
Authenticated attackers can execute arbitrary shell commands on macOS hosts running vulnerable OpenClaw versions, leading to full compromise of confidentiality, integrity, and availability.
Affected Products
- OpenClaw versions 2026.2.13 and earlier (Node.js distribution)
- Apple macOS (Keychain integration path)
- OpenClaw Claude CLI keychain credential refresh component
Discovery Timeline
- 2026-02-21 - CVE-2026-27487 published to NVD
- 2026-02-23 - Last updated in NVD database
Technical Details for CVE-2026-27487
Vulnerability Analysis
The vulnerability resides in the macOS-specific credential persistence routine of the Claude CLI integration. When OpenClaw refreshes OAuth credentials, it serializes the updated JSON blob and invokes the macOS security binary to store the result in Keychain. The implementation builds the command line by concatenating untrusted token data into a shell-interpreted string, then executes it through a shell. Because the OAuth token value flows directly into the command, shell metacharacters such as backticks, $(), ;, and | are interpreted rather than treated as literal data.
Root Cause
The root cause is improper neutralization of special elements used in an OS command [CWE-78]. The keychain refresh path used string interpolation to build a shell invocation around security add-generic-password -w <token> rather than passing arguments as a fixed argv array. No escaping, quoting, or input validation was applied to the OAuth token before it reached the shell.
Attack Vector
Exploitation requires that an attacker influence the OAuth token content stored or refreshed by OpenClaw. This can occur where a malicious authorization server, a man-in-the-middle on a misconfigured TLS path, or a crafted token response delivers a token containing shell metacharacters. User interaction is required to trigger the credential refresh path. When the vulnerable code executes the constructed command, the injected payload runs with the privileges of the OpenClaw process on the macOS host. No synthetic exploit code is published here; refer to the GitHub Security Advisory GHSA-4564-pvr2-qq4h and the fix commit for technical details.
Detection Methods for CVE-2026-27487
Indicators of Compromise
- Unexpected child processes of the OpenClaw Node.js runtime spawning /bin/sh, /bin/bash, or security with anomalous arguments on macOS.
- Keychain entries for the Claude CLI containing malformed JSON or shell metacharacters such as `, $(, ;, or |.
- Outbound network connections initiated by shells spawned from the OpenClaw process tree shortly after a credential refresh event.
Detection Strategies
- Hunt for process lineage where node or the OpenClaw binary is the parent of sh -c invocations that include the string security add-generic-password.
- Inspect macOS Unified Logs for security command invocations whose -w argument contains shell control characters.
- Compare installed OpenClaw versions against 2026.2.14 across the fleet and flag any host running 2026.2.13 or earlier.
Monitoring Recommendations
- Enable command-line argument logging on macOS endpoints to capture full arguments passed to security and shell interpreters.
- Forward EDR process telemetry to a centralized data lake and alert on shell invocations originating from AI assistant or developer tooling processes.
- Audit OAuth token issuance logs from the identity provider used with the Claude CLI for anomalous token values.
How to Mitigate CVE-2026-27487
Immediate Actions Required
- Upgrade OpenClaw to version 2026.2.14 or later on all macOS hosts.
- Revoke and reissue any OAuth tokens that may have been processed by a vulnerable OpenClaw build.
- Inventory developer and analyst macOS endpoints for installations of the Claude CLI integration and prioritize remediation.
Patch Information
The maintainers released the fix in OpenClaw v2026.2.14. The corrective changes are tracked in the primary fix commit, the follow-up commit, and a hardening commit, with discussion in the pull request. The fix replaces the shell-interpreted command construction with a safe argv invocation that passes the token as a discrete argument to security.
Workarounds
- Disable the macOS Keychain credential refresh path in OpenClaw until the upgrade is applied.
- Restrict OpenClaw to trusted OAuth providers and pinned TLS endpoints to reduce the chance of attacker-controlled token content.
- Run OpenClaw under a least-privileged macOS user account so that any injected command executes with minimal capabilities.
# Verify installed OpenClaw version and upgrade on macOS
openclaw --version
npm install -g openclaw@2026.2.14
openclaw --version # confirm 2026.2.14 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
