GHSA-wpc6-37g7-8q4w: OpenClaw: exec allowlist bypass via shell init-file options

Published April 7, 2026

CISO Take

OpenClaw's exec allowlist can be bypassed by crafting shell-wrapper invocations that use init-file flags (`--rcfile`, `--init-file`, `--startup-file`), causing the shell to inherit allowlist trust while loading attacker-chosen initialization scripts instead of the approved one. This is a targeted security control bypass — not generic RCE — but in AI agent deployments where exec allowlists are the primary sandbox boundary, a bypass undermines the entire trust model for that control. There is no public exploit, no CISA KEV entry, and EPSS data is not yet available, but OpenClaw already has 37 prior CVEs and an associated incident (AIID #1368) documenting malicious skill abuse in its ecosystem, suggesting it is an active target. Patch to `openclaw >= 2026.3.31` (or `2026.4.1`) immediately; if patching is not immediately possible, audit all shell-wrapper command shapes in your agent workflows and disable exec allowlist until updated.

Sources: GitHub Advisory ATLAS

Risk Assessment

Medium risk overall, but elevated in AI agent contexts. Exploitation requires the allowlist feature to be active and the attacker to control or influence shell command arguments — a realistic condition in multi-tenant or plugin-enabled agent deployments. The blast radius is scoped to the allowlist bypass rather than full RCE, but in an agent framework where the allowlist IS the execution control plane, bypassing it can enable privilege escalation, unauthorized script execution, and persistence within the agent environment. CWE-184 (Incomplete List of Disallowed Inputs) is a consistently exploitable class when the attacker can probe input shape variations.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
openclaw	npm	< 2026.3.31	`2026.3.31`

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

Recommended Action

Patch: Upgrade `openclaw` (npm) to `>= 2026.3.31` or the current release `2026.4.1`.
Workaround: If patching is not immediately feasible, disable exec allowlist or allow-always execution behavior until the patch is applied.
Detection: Audit shell command execution logs for invocations of `bash`, `sh`, `zsh`, or other shells containing `--rcfile`, `--init-file`, or `--startup-file` flags, particularly where the referenced file path does not match the expected allowlisted script.
Harden: Review all OpenClaw agent configurations to ensure no third-party skills or plugins can inject shell-wrapper command shapes. Given the prior malicious skills incident (AIID #1368), audit the full ClawHub skill inventory in use.

Classification

Auth Bypass Code Execution Agent Plugin AML.T0010.005 - AI Agent Tool AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0107 - Exploitation for Defense Evasion

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

6.1 - Actions to address risks and opportunities 8.4 - AI system operation

NIST AI RMF

MANAGE-2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems

OWASP LLM Top 10

LLM06 - Excessive Agency

Related AI Incidents (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Unknown malicious actors medium confidence

AIID #1368 documents malicious OpenClaw skills delivering a stealer and exfiltrating credentials via ClawHub — the same ecosystem and package. This CVE's allowlist bypass weakens the sandbox controls that would otherwise contain exactly the class of malicious skill-based code execution described in the incident.

AIID #1368

Source: AI Incident Database (AIID)

Technical Details

NVD Description

## Summary Before OpenClaw 2026.3.31, exec allowlist matching could treat shell init-file wrapper invocations as if the approved script itself were being executed. Shell options such as `--rcfile`, `--init-file`, and `--startup-file` could therefore inherit allowlist trust from a matched script path even though the shell loaded attacker-chosen initialization first. ## Impact This issue only applied when exec allowlist or allow-always behavior was enabled and the attacker could steer a shell-wrapper command shape that used init-file options. The result was a narrower allowlist bypass, not generic arbitrary command execution from an untrusted boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.3.31` - Patched versions: `>= 2026.3.31` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `0c8375424620e12777ef24c162eedc7e9fcfd7e3` — reject shell init-file script matches ## Release Process Note The fix shipped in OpenClaw `2026.3.31` on March 31, 2026. The current published npm release `2026.4.1` from April 1, 2026 also contains the fix. Thanks @cyjhhh for reporting.

Exploitation Scenario

An attacker with the ability to influence shell command arguments within an OpenClaw agent — for example, through a malicious plugin, a poisoned tool definition, or injected input — crafts a command such as `bash --rcfile /tmp/attacker.sh /path/to/allowlisted-script.sh`. Because the allowlist matches on the script path at the end of the command, trust is granted. The shell, however, loads `/tmp/attacker.sh` as its initialization file before executing, running attacker-controlled code with inherited allowlist permissions. In a CISO-relevant scenario, this could be chained with a malicious OpenClaw skill (as seen in AIID #1368) to silently execute a credential harvester or establish persistence within the agent's host environment.