CVE-2026-28463
OpenClaw exec approvals: safeBins could bypass stdin-only constraints via shell expansion
Description
## Summary OpenClaw's exec-approvals allowlist supports a small set of "safe bins" intended to be stdin-only (no positional file arguments) when running `tools.exec.host=gateway|node` with `security=allowlist`. In affected configurations, the allowlist validation checked pre-expansion argv tokens, but execution used a real shell (`sh -c`) which expands globs and environment variables. This allowed safe bins like `head`, `tail`, or `grep` to read arbitrary local files via tokens such as `*` or `$HOME/...` without triggering approvals. This issue is configuration-dependent and is not exercised by default settings (default `tools.exec.host` is `sandbox`). ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected: `<= 2026.2.13` - Patched: `>= 2026.2.14` (planned; publish the advisory after the npm release is out) ## Impact An authorized but untrusted caller (or prompt-injection) could cause the gateway/node process to disclose files readable by that process when host execution is enabled in allowlist mode. ## Fix Safe-bins executions now force argv tokens to be treated as literal text at execution time (single-quoted), preventing globbing and `$VARS` expansion from turning "safe" tokens into file paths. ## Fix Commit(s) - 77b89719d5b7e271f48b6f49e334a8b991468c3b ## Release Process Note `patched_versions` is pre-set for the next planned release (`>= 2026.2.14`) so publishing is a single click once that npm version is available. Thanks @christos-eth for reporting.
How to fix CVE-2026-28463
To remediate CVE-2026-28463, upgrade the affected package to a fixed version below.
- —upgrade to 2026.2.14 or later
Is CVE-2026-28463 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 2026.2.14