CVE-2026-28460: OpenClaw Allowlist Bypass RCE Vulnerability

CVE-2026-28460 Overview

CVE-2026-28460 is a command injection vulnerability affecting OpenClaw versions prior to 2026.2.22. The vulnerability exists in the system.run function where attackers can bypass the allowlist security mechanism by exploiting shell line-continuation characters. By injecting $\\ followed by a newline and opening parenthesis inside double quotes, attackers can cause the shell to fold the line continuation into executable command substitution, effectively circumventing the intended security approval boundaries.

This allowlist bypass vulnerability allows authenticated attackers with network access to execute arbitrary commands that would normally be blocked by OpenClaw's security controls, potentially leading to unauthorized system modifications and limited availability impact.

Critical Impact

Attackers can bypass OpenClaw's command allowlist security controls to execute non-approved commands, potentially compromising system integrity through unauthorized command execution.

Affected Products

• OpenClaw versions prior to 2026.2.22
• OpenClaw for Node.js (all versions before the security patch)

Discovery Timeline

• 2026-03-19 - CVE-2026-28460 published to NVD
• 2026-03-19 - Last updated in NVD database

Technical Details for CVE-2026-28460

Vulnerability Analysis

This vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), commonly known as OS Command Injection. The core issue lies in how OpenClaw's security analysis fails to properly detect and block shell line-continuation sequences within command strings.

OpenClaw implements an allowlist mechanism to restrict which commands can be executed through the system.run interface. However, the security analysis can be circumvented by exploiting how shells interpret line-continuation characters (\\ followed by a newline). When an attacker crafts a command containing $\\ followed by a newline and an opening parenthesis within double quotes, the shell interprets this as a folded line continuation that becomes executable command substitution.

The vulnerability allows attackers with low privileges to bypass security boundaries over the network. While confidentiality is not directly impacted, the vulnerability enables high integrity impact through unauthorized command execution and limited availability disruption.

Root Cause

The root cause stems from an incomplete set of characters being validated within double-quoted strings during security analysis. The original implementation tracked certain escape sequences (\\, ", $, `) but failed to include newline and carriage return characters (\n, \r) in the DOUBLE_QUOTE_ESCAPES set. Additionally, there was no explicit check for shell line-continuation patterns (\\ followed by newlines) that could be used to split and obfuscate malicious command substitutions.

Attack Vector

The attack exploits the network-accessible system.run function in OpenClaw. An authenticated attacker with low privileges can craft a specially formatted command string that appears benign to the allowlist analysis but executes unauthorized commands when processed by the shell. The attack requires precise payload positioning, where the shell line-continuation pattern is embedded within double-quoted regions of the command string. This causes the static analysis to see a different command structure than what the shell ultimately executes.

// Security patch from src/infra/exec-approvals-allowlist.ts
// Source: https://github.com/openclaw/openclaw/commit/3f0b9dbb36c86e308267924c0d3d4a4e1fc4d1e9

   validateSafeBinArgv,
 } from "./exec-safe-bin-policy.js";
 import { isTrustedSafeBinPath } from "./exec-safe-bin-trust.js";
+
+function hasShellLineContinuation(command: string): boolean {
+  return /\\(?:\r\n|\n|\r)/.test(command);
+}
+
 export function normalizeSafeBins(entries?: string[]): Set<string> {
   if (!Array.isArray(entries)) {
     return new Set();

// Security patch from src/infra/exec-approvals-analysis.ts
// Source: https://github.com/openclaw/openclaw/commit/3f0b9dbb36c86e308267924c0d3d4a4e1fc4d1e9

 };
 
 const DISALLOWED_PIPELINE_TOKENS = new Set([">", "<", "`", "\n", "\r", "(", ")"]);
-const DOUBLE_QUOTE_ESCAPES = new Set(["\\", '"', "$", "`", "\n", "\r"]);
+const DOUBLE_QUOTE_ESCAPES = new Set(["\\", '"', "$", "`"]);
 const WINDOWS_UNSUPPORTED_TOKENS = new Set([
   "&",
   "|",

Detection Methods for CVE-2026-28460

Indicators of Compromise

• Unusual command strings containing backslash-newline sequences (\\\n or \\\r\n) in application logs
• Commands submitted to system.run containing $( or backtick sequences that were not previously approved
• Error logs indicating command execution failures following allowlist validation passes
• Audit trail showing commands executed that differ structurally from submitted command strings

Detection Strategies

• Implement logging at the system.run interface to capture both the submitted command and the actual executed command for comparison
• Deploy application-level monitoring to detect command strings containing shell metacharacters combined with line-continuation patterns
• Use regex-based log analysis to identify patterns matching /\$\\(?:\r\n|\n|\r)\(/ in command submissions
• Configure alerts for any execution of commands not present in the explicit allowlist

Monitoring Recommendations

• Enable verbose logging for the OpenClaw exec-approvals-allowlist and exec-approvals-analysis modules
• Monitor for discrepancies between statically analyzed command structures and runtime execution behavior
• Implement centralized logging for all system.run invocations with full command string capture
• Review audit logs for authenticated users submitting unusually formatted command strings

How to Mitigate CVE-2026-28460

Immediate Actions Required

• Upgrade OpenClaw to version 2026.2.22 or later immediately
• Audit recent system.run invocations for potential exploitation attempts
• Review allowlist configurations to ensure minimal required command permissions
• Consider temporarily disabling system.run functionality if immediate patching is not possible

Patch Information

OpenClaw has released a security patch in version 2026.2.22 that addresses this vulnerability. The fix introduces a new hasShellLineContinuation() function that explicitly detects and blocks shell line-continuation patterns before allowlist validation occurs. Additionally, the DOUBLE_QUOTE_ESCAPES set has been refined to properly handle escape character validation.

Patch details are available in the GitHub Security Advisory GHSA-9868 and the security commit.

Workarounds

• Implement an additional input validation layer that rejects any command strings containing backslash followed by newline characters
• Restrict system.run access to only highly trusted authenticated users pending patch deployment
• Deploy a web application firewall rule to block requests containing shell line-continuation patterns
• Consider using command allowlisting at the OS level (e.g., AppArmor, SELinux) as defense-in-depth

# Example: Input validation regex to detect line-continuation bypass attempts
# Add this check before passing commands to system.run
grep -P '\\\r?\n' command_input.txt && echo "Blocked: Line continuation detected"