GHSA-j472-gf56-x589: OpenClaw: PowerShell alias bypasses exec allowlist

GHSA-j472-gf56-x589 HIGH
Published July 2, 2026
CISO Take

OpenClaw's Gateway enforces an allowlist before it will run encoded PowerShell commands on behalf of the AI agent, but an abbreviated alias form of the encoded-command flag slips past the allowlist parser, letting the underlying PowerShell interpreter decode and execute the embedded script anyway. There's no CVSS score, no EPSS percentile, no CISA KEV listing, and no public exploit or Nuclei template for this one, and only 4 downstream packages depend on openclaw directly, so this reads as a config-gated bypass rather than a mass-exploitable flaw — but the advisory itself rates it high because it defeats the specific control operators rely on to gate risky command execution, and the package has a rough security track record (425 other CVEs logged against it). Any Gateway deployment that allowlists PowerShell wrapper forms, accepts encoded-command requests from lower-trust users, or shares one Gateway across mutually untrusted parties should treat this as exploitable today. Patch to 2026.5.12 immediately; until then, stop allowlisting PowerShell wrapper forms, require manual approval for any encoded-command request, and disable the feature entirely if it isn't in active use. For detection, alert on Gateway-spawned PowerShell processes invoking any abbreviated encoded-command switch (`-e`, `-en`, `-enc`, etc.) rather than only the canonical `-EncodedCommand` form.

Sources: GitHub Advisory CISA KEV ATLAS

What is the risk?

Rated high by the vendor despite the absence of CVSS, EPSS, KEV, or public-exploit data — this is a policy/allowlist bypass (CWE-184: Incomplete List of Disallowed Inputs), not a memory-corruption or network-reachable RCE, so exploitability depends entirely on whether the affected feature is enabled and whether a lower-trust actor (user, plugin, or indirect input) can reach the command-submission path. The trusted-operator model is explicitly preserved for authenticated Gateway operators and installed plugins, which caps the realistic blast radius to environments that intentionally expose encoded-command execution to less-trusted parties or that allowlist PowerShell wrapper forms. Downstream exposure is narrow (4 known dependents), but the openclaw package's history of 425 prior CVEs suggests a pattern of security-boundary gaps worth monitoring closely rather than treating this as an isolated incident.

How does the attack unfold?

Malicious command submission
A lower-trust caller (user, plugin, or influenced input) submits a PowerShell command request to the OpenClaw Gateway using an abbreviated alias of the encoded-command flag.
AML.T0053
Allowlist evasion
The allowlist parser fails to recognize the alias form as the sensitive encoded-command switch, so the request passes the policy check meant to require approval.
AML.T0107
Command execution
The request reaches the real PowerShell interpreter, which fully honors the alias, decodes the embedded payload, and executes it with the Gateway/agent's privileges.
AML.T0050
Host impact
The attacker achieves unauthorized code execution on the host, with impact scaling to full machine compromise depending on the Gateway process's privileges.
AML.T0112.000

What systems are affected?

Package Ecosystem Vulnerable Range Patched
OpenClaw npm <= 2026.5.7 2026.5.12
4 dependents 41% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Moderate

What should I do?

1 step
  1. 1) Patch openclaw to 2026.5.12 or later immediately. 2) Until patched, do not allowlist PowerShell wrapper/alias forms of the encoded-command flag — require full, canonical flag names only. 3) Require human approval for any encoded-command request regardless of allowlist status. 4) Keep channel and tool allowlists as narrow as possible; disable the encoded-command feature entirely if it isn't operationally required. 5) Never share a single Gateway instance between mutually untrusted users. 6) Detection: monitor for Gateway/agent-spawned PowerShell processes using abbreviated encoded-command switches (-e, -en, -enc) as well as the canonical -EncodedCommand, and flag any encoded-command execution that bypassed an approval step.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
NIST AI RMF
MEASURE 2.7 - AI system security and resilience are evaluated and documented
OWASP LLM Top 10
LLM08 - Excessive Agency

Frequently Asked Questions

What is GHSA-j472-gf56-x589?

OpenClaw's Gateway enforces an allowlist before it will run encoded PowerShell commands on behalf of the AI agent, but an abbreviated alias form of the encoded-command flag slips past the allowlist parser, letting the underlying PowerShell interpreter decode and execute the embedded script anyway. There's no CVSS score, no EPSS percentile, no CISA KEV listing, and no public exploit or Nuclei template for this one, and only 4 downstream packages depend on openclaw directly, so this reads as a config-gated bypass rather than a mass-exploitable flaw — but the advisory itself rates it high because it defeats the specific control operators rely on to gate risky command execution, and the package has a rough security track record (425 other CVEs logged against it). Any Gateway deployment that allowlists PowerShell wrapper forms, accepts encoded-command requests from lower-trust users, or shares one Gateway across mutually untrusted parties should treat this as exploitable today. Patch to 2026.5.12 immediately; until then, stop allowlisting PowerShell wrapper forms, require manual approval for any encoded-command request, and disable the feature entirely if it isn't in active use. For detection, alert on Gateway-spawned PowerShell processes invoking any abbreviated encoded-command switch (`-e`, `-en`, `-enc`, etc.) rather than only the canonical `-EncodedCommand` form.

Is GHSA-j472-gf56-x589 actively exploited?

No confirmed active exploitation of GHSA-j472-gf56-x589 has been reported, but organizations should still patch proactively.

How to fix GHSA-j472-gf56-x589?

1) Patch openclaw to 2026.5.12 or later immediately. 2) Until patched, do not allowlist PowerShell wrapper/alias forms of the encoded-command flag — require full, canonical flag names only. 3) Require human approval for any encoded-command request regardless of allowlist status. 4) Keep channel and tool allowlists as narrow as possible; disable the encoded-command feature entirely if it isn't operationally required. 5) Never share a single Gateway instance between mutually untrusted users. 6) Detection: monitor for Gateway/agent-spawned PowerShell processes using abbreviated encoded-command switches (`-e`, `-en`, `-enc`) as well as the canonical `-EncodedCommand`, and flag any encoded-command execution that bypassed an approval step.

What systems are affected by GHSA-j472-gf56-x589?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI agent gateways, plugin/tool execution surfaces.

What is the CVSS score for GHSA-j472-gf56-x589?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksAI agent gatewaysplugin/tool execution surfaces

MITRE ATLAS Techniques

AML.T0050 Command and Scripting Interpreter
AML.T0053 AI Agent Tool Invocation
AML.T0107 Exploitation for Defense Evasion
AML.T0112.000 Local AI Agent

Compliance Controls Affected

EU AI Act: Article 15
NIST AI RMF: MEASURE 2.7
OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

### Summary PowerShell encoded-command aliases could miss exec allowlist checks. In affected versions, a command request using abbreviated encoded-command flags could use an alias form not recognized by the allowlist parser. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. ### Impact When the affected feature is enabled and reachable, this could run encoded PowerShell content without the intended allowlist decision. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. ### Patched Versions The first stable patched version is `2026.5.12`. ### Mitigations Avoid allowlisting PowerShell wrapper forms and require approval for encoded commands until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.

Exploitation Scenario

A lower-trust user, a compromised plugin, or content that can influence the agent's tool-call submits a PowerShell command request to the OpenClaw Gateway using an abbreviated alias of the encoded-command flag (e.g., `-enc` or `-e` instead of the full `-EncodedCommand`). The allowlist parser only recognizes the canonical flag form and doesn't flag the alias as a disallowed/sensitive input, so the request passes the policy check that was supposed to require approval. The request is forwarded to the real PowerShell interpreter, which fully honors the alias, decodes the embedded Base64 payload, and executes it with the privileges of the Gateway/agent process — giving the attacker arbitrary code execution on the host without ever triggering the intended human-in-the-loop gate.

Weaknesses (CWE)

CWE-184 — Incomplete List of Disallowed Inputs: The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.

  • [Implementation] Do not rely exclusively on detecting disallowed inputs. There are too many variants to encode a character, especially when different environments are used, so there is a high likelihood of missing some variants. Only use detection of disallowed inputs as a mechanism for detecting suspicious activity. Ensure that you are using other protection mechanisms that only identify "good" input - such as lists of allowed inputs - and ensure that you are properly encoding your outputs.

Source: MITRE CWE corpus.

Timeline

Published
July 2, 2026
Last Modified
July 2, 2026
First Seen
July 2, 2026

Related Vulnerabilities