Main Vulnerability Database Vulnerabilities #VU132718

Incomplete List of Disallowed Inputs in OpenClaw - #VU132718

Published: May 29, 2026

Vulnerability identifier: #VU132718

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-184

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenClaw

Affected software:
OpenClaw

Detailed vulnerability description

The vulnerability allows a remote user to bypass exec allowlist checks and execute encoded PowerShell content.

The vulnerability exists due to incomplete list of disallowed inputs in the exec allowlist parser when processing command requests that use abbreviated PowerShell encoded-command flags. A remote user can send a specially crafted command request to bypass exec allowlist checks and execute encoded PowerShell content.

Only instances where the affected feature is enabled and reachable are vulnerable.

Remediation

Install security update from vendor's website.

Sources

https://github.com/openclaw/openclaw/security/advisories/GHSA-j472-gf56-x589

Incomplete List of Disallowed Inputs in OpenClaw - #VU132718

Detailed vulnerability description

Remediation

Sources

Please verify you're human