OpenClaw's Gateway enforces an allowlist before it will run encoded PowerShell commands on behalf of the AI agent, but an abbreviated alias form of the encoded-command flag slips past the allowlist parser, letting the underlying PowerShell interpreter decode and execute the embedded script anyway. There's no CVSS score, no EPSS percentile, no CISA KEV listing, and no public exploit or Nuclei template for this one, and only 4 downstream packages depend on openclaw directly, so this reads as a config-gated bypass rather than a mass-exploitable flaw — but the advisory itself rates it high because it defeats the specific control operators rely on to gate risky command execution, and the package has a rough security track record (425 other CVEs logged against it). Any Gateway deployment that allowlists PowerShell wrapper forms, accepts encoded-command requests from lower-trust users, or shares one Gateway across mutually untrusted parties should treat this as exploitable today. Patch to 2026.5.12 immediately; until then, stop allowlisting PowerShell wrapper forms, require manual approval for any encoded-command request, and disable the feature entirely if it isn't in active use. For detection, alert on Gateway-spawned PowerShell processes invoking any abbreviated encoded-command switch (`-e`, `-en`, `-enc`, etc.) rather than only the canonical `-EncodedCommand` form.
What is the risk?
Rated high by the vendor despite the absence of CVSS, EPSS, KEV, or public-exploit data — this is a policy/allowlist bypass (CWE-184: Incomplete List of Disallowed Inputs), not a memory-corruption or network-reachable RCE, so exploitability depends entirely on whether the affected feature is enabled and whether a lower-trust actor (user, plugin, or indirect input) can reach the command-submission path. The trusted-operator model is explicitly preserved for authenticated Gateway operators and installed plugins, which caps the realistic blast radius to environments that intentionally expose encoded-command execution to less-trusted parties or that allowlist PowerShell wrapper forms. Downstream exposure is narrow (4 known dependents), but the openclaw package's history of 425 prior CVEs suggests a pattern of security-boundary gaps worth monitoring closely rather than treating this as an isolated incident.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| OpenClaw | npm | <= 2026.5.7 | 2026.5.12 |
Do you use OpenClaw? You're affected.
How severe is it?
What should I do?
1 step-
1) Patch openclaw to 2026.5.12 or later immediately. 2) Until patched, do not allowlist PowerShell wrapper/alias forms of the encoded-command flag — require full, canonical flag names only. 3) Require human approval for any encoded-command request regardless of allowlist status. 4) Keep channel and tool allowlists as narrow as possible; disable the encoded-command feature entirely if it isn't operationally required. 5) Never share a single Gateway instance between mutually untrusted users. 6) Detection: monitor for Gateway/agent-spawned PowerShell processes using abbreviated encoded-command switches (
-e,-en,-enc) as well as the canonical-EncodedCommand, and flag any encoded-command execution that bypassed an approval step.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is GHSA-j472-gf56-x589?
OpenClaw's Gateway enforces an allowlist before it will run encoded PowerShell commands on behalf of the AI agent, but an abbreviated alias form of the encoded-command flag slips past the allowlist parser, letting the underlying PowerShell interpreter decode and execute the embedded script anyway. There's no CVSS score, no EPSS percentile, no CISA KEV listing, and no public exploit or Nuclei template for this one, and only 4 downstream packages depend on openclaw directly, so this reads as a config-gated bypass rather than a mass-exploitable flaw — but the advisory itself rates it high because it defeats the specific control operators rely on to gate risky command execution, and the package has a rough security track record (425 other CVEs logged against it). Any Gateway deployment that allowlists PowerShell wrapper forms, accepts encoded-command requests from lower-trust users, or shares one Gateway across mutually untrusted parties should treat this as exploitable today. Patch to 2026.5.12 immediately; until then, stop allowlisting PowerShell wrapper forms, require manual approval for any encoded-command request, and disable the feature entirely if it isn't in active use. For detection, alert on Gateway-spawned PowerShell processes invoking any abbreviated encoded-command switch (`-e`, `-en`, `-enc`, etc.) rather than only the canonical `-EncodedCommand` form.
Is GHSA-j472-gf56-x589 actively exploited?
No confirmed active exploitation of GHSA-j472-gf56-x589 has been reported, but organizations should still patch proactively.
How to fix GHSA-j472-gf56-x589?
1) Patch openclaw to 2026.5.12 or later immediately. 2) Until patched, do not allowlist PowerShell wrapper/alias forms of the encoded-command flag — require full, canonical flag names only. 3) Require human approval for any encoded-command request regardless of allowlist status. 4) Keep channel and tool allowlists as narrow as possible; disable the encoded-command feature entirely if it isn't operationally required. 5) Never share a single Gateway instance between mutually untrusted users. 6) Detection: monitor for Gateway/agent-spawned PowerShell processes using abbreviated encoded-command switches (`-e`, `-en`, `-enc`) as well as the canonical `-EncodedCommand`, and flag any encoded-command execution that bypassed an approval step.
What systems are affected by GHSA-j472-gf56-x589?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI agent gateways, plugin/tool execution surfaces.
What is the CVSS score for GHSA-j472-gf56-x589?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0050 Command and Scripting Interpreter AML.T0053 AI Agent Tool Invocation AML.T0107 Exploitation for Defense Evasion AML.T0112.000 Local AI Agent Compliance Controls Affected
What are the technical details?
Original Advisory
### Summary PowerShell encoded-command aliases could miss exec allowlist checks. In affected versions, a command request using abbreviated encoded-command flags could use an alias form not recognized by the allowlist parser. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. ### Impact When the affected feature is enabled and reachable, this could run encoded PowerShell content without the intended allowlist decision. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. ### Patched Versions The first stable patched version is `2026.5.12`. ### Mitigations Avoid allowlisting PowerShell wrapper forms and require approval for encoded commands until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.
Exploitation Scenario
A lower-trust user, a compromised plugin, or content that can influence the agent's tool-call submits a PowerShell command request to the OpenClaw Gateway using an abbreviated alias of the encoded-command flag (e.g., `-enc` or `-e` instead of the full `-EncodedCommand`). The allowlist parser only recognizes the canonical flag form and doesn't flag the alias as a disallowed/sensitive input, so the request passes the policy check that was supposed to require approval. The request is forwarded to the real PowerShell interpreter, which fully honors the alias, decodes the embedded Base64 payload, and executes it with the privileges of the Gateway/agent process — giving the attacker arbitrary code execution on the host without ever triggering the intended human-in-the-loop gate.
Weaknesses (CWE)
CWE-184 — Incomplete List of Disallowed Inputs: The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.
- [Implementation] Do not rely exclusively on detecting disallowed inputs. There are too many variants to encode a character, especially when different environments are used, so there is a high likelihood of missing some variants. Only use detection of disallowed inputs as a mechanism for detecting suspicious activity. Ensure that you are using other protection mechanisms that only identify "good" input - such as lists of allowed inputs - and ensure that you are properly encoding your outputs.
Source: MITRE CWE corpus.
References
Timeline
Related Vulnerabilities
CVE-2026-33579 9.9 OpenClaw: scope bypass escalates low-priv to admin
Same package: openclaw CVE-2026-32922 9.9 OpenClaw: privilege escalation to RCE via token scope bypass
Same package: openclaw CVE-2026-30741 9.8 OpenClaw: RCE via request-side prompt injection
Same package: openclaw CVE-2026-32038 9.8 OpenClaw: sandbox bypass enables container lateral movement
Same package: openclaw CVE-2026-53838 9.8 OpenClaw: approval scope bypass via reconnection state
Same package: openclaw