CVE-2026-28470 Overview
OpenClaw versions prior to 2026.2.2 contain an exec approvals allowlist bypass vulnerability that allows attackers to execute arbitrary commands by injecting command substitution syntax. This vulnerability exists when the exec approvals feature is enabled, and attackers can bypass the allowlist protection by embedding unescaped $() or backticks inside double-quoted strings to execute unauthorized commands.
Critical Impact
This command injection vulnerability enables remote attackers to bypass security controls and execute arbitrary system commands, potentially leading to full system compromise, data exfiltration, and lateral movement within affected environments.
Affected Products
- OpenClaw versions prior to 2026.2.2
Discovery Timeline
- 2026-03-05 - CVE CVE-2026-28470 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2026-28470
Vulnerability Analysis
This vulnerability is classified under CWE-88 (Improper Neutralization of Argument Delimiters in a Command). The flaw resides in the exec approvals functionality within OpenClaw's command execution pipeline. When exec approvals are enabled, the application implements an allowlist mechanism to restrict which commands can be executed. However, the parsing logic fails to properly handle command substitution syntax within double-quoted strings.
The vulnerable code does not recognize that shell command substitution using $() syntax or backticks (`) can be embedded within double-quoted strings to execute arbitrary commands. This means an attacker can craft malicious input that appears to conform to the allowlist but actually executes unauthorized commands through shell expansion.
Root Cause
The root cause lies in insufficient input validation within the exec allowlist parsing logic. The original implementation tracked certain disallowed pipeline tokens but failed to account for command substitution escape sequences within double-quoted contexts. Specifically, the parser did not properly sanitize or block the $ and backtick characters when they appeared inside double quotes, allowing shell command substitution to occur during execution.
Attack Vector
The attack vector is network-based and requires no user interaction or prior authentication. An attacker can exploit this vulnerability by submitting specially crafted input containing command substitution syntax embedded within double-quoted strings. When the exec approvals system processes this input, the malicious command substitution is evaluated by the underlying shell, bypassing the intended allowlist restrictions.
For example, an attacker could embed $(malicious_command) within an otherwise allowed command string, causing the shell to execute the nested command before processing the outer command.
};
const DISALLOWED_PIPELINE_TOKENS = new Set([">", "<", "`", "\n", "\r", "(", ")"]);
+const DOUBLE_QUOTE_ESCAPES = new Set(["\\", '"', "$", "`", "\n", "\r"]);
+
+function isDoubleQuoteEscape(next: string | undefined): next is string {
+ return Boolean(next && DOUBLE_QUOTE_ESCAPES.has(next));
+}
type IteratorAction = "split" | "skip" | "include" | { reject: string };
Source: GitHub Commit Reference
The security patch introduces a new DOUBLE_QUOTE_ESCAPES set that explicitly includes the $ and backtick characters as escape sequences that must be handled within double-quoted contexts. The isDoubleQuoteEscape function provides proper validation to ensure these dangerous characters are neutralized when parsing commands.
Detection Methods for CVE-2026-28470
Indicators of Compromise
- Unexpected command execution logs containing $() or backtick syntax in application arguments
- Anomalous process spawning from OpenClaw application processes
- Network connections or file system modifications initiated by the OpenClaw process that deviate from normal operational patterns
- Log entries showing exec approval requests with embedded shell metacharacters
Detection Strategies
- Monitor application logs for command strings containing unescaped $() or backtick sequences within quoted arguments
- Implement runtime application security monitoring to detect command injection patterns
- Deploy network intrusion detection rules to identify exploitation attempts targeting OpenClaw endpoints
- Audit process creation events from OpenClaw services for unexpected child processes
Monitoring Recommendations
- Enable verbose logging for exec approvals functionality to capture all command execution requests
- Implement file integrity monitoring on critical system directories that could be modified by command injection
- Configure security information and event management (SIEM) alerts for command substitution patterns in application inputs
- Monitor outbound network connections from application servers for signs of data exfiltration
How to Mitigate CVE-2026-28470
Immediate Actions Required
- Upgrade OpenClaw to version 2026.2.2 or later immediately
- If unable to upgrade immediately, disable the exec approvals feature until patching is complete
- Review application logs for any signs of prior exploitation attempts
- Implement network segmentation to limit the impact of potential compromise
Patch Information
The vulnerability has been addressed in OpenClaw version 2026.2.2. The fix hardens the exec allowlist parsing by introducing proper handling of escape sequences within double-quoted strings. The patch commit (d1ecb46076145deb188abcba8f0699709ea17198) adds validation for the $ and backtick characters within double-quote contexts, preventing command substitution attacks.
For detailed patch information, refer to the GitHub Security Advisory and the GitHub Commit Reference.
Workarounds
- Disable the exec approvals feature if it is not required for your deployment
- Implement additional input validation at the application layer to reject commands containing shell metacharacters
- Deploy a web application firewall (WAF) with rules to block command injection patterns
- Restrict network access to OpenClaw services to trusted sources only
# Disable exec approvals feature as a temporary workaround
# Add to OpenClaw configuration file
OPENCLAW_EXEC_APPROVALS_ENABLED=false
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
