OS Command Injection in OpenClaw - CVE-2026-22179
Published: May 1, 2026
Vulnerability identifier: #VU128819
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-22179
CWE-ID: CWE-78
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
OpenClaw
OpenClaw
Software vendor:
OpenClaw
OpenClaw
Description
The vulnerability allows a remote user to execute unintended commands on the node host.
The vulnerability exists due to improper neutralization of special elements used in an os command in the system.run allowlist parsing on the macOS node-host path when processing double-quoted shell text containing command substitution in security=allowlist mode. A remote privileged user can send a specially crafted shell-wrapper command to execute unintended commands on the node host.
Exploitation requires the macOS node-host or companion-app execution path, security=allowlist, and ask mode set to on-miss or off.
Remediation
Install security update from vendor's website.