CVE-2026-22175 in OpenClaw
Summary
by MITRE • 03/18/2026
OpenClaw versions prior to 2026.2.23 contain an exec approval bypass vulnerability in allowlist mode where allow-always grants could be circumvented through unrecognized multiplexer shell wrappers like busybox and toybox sh -c commands. Attackers can exploit this by invoking arbitrary payloads under the same multiplexer wrapper to satisfy stored allowlist rules, bypassing intended execution restrictions.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/22/2026
The vulnerability identified as CVE-2026-22175 represents a critical security flaw in OpenClaw versions prior to 2026.2.23 that fundamentally undermines the system's execution control mechanisms. This weakness exists within the allowlist mode implementation where the security model relies on predefined trusted command patterns to govern system execution. The flaw specifically affects the validation process that occurs when commands are executed under multiplexer shell wrappers, creating a pathway for malicious actors to bypass intended security restrictions through clever manipulation of command invocation patterns.
The technical implementation of this vulnerability stems from insufficient validation of command execution contexts within the allowlist enforcement system. When OpenClaw operates in allowlist mode, it maintains a curated set of approved commands that are permitted to execute within the system environment. However, the system fails to properly account for the presence of multiplexer wrappers such as busybox and toybox which can execute commands through various shell invocation methods including sh -c. These multiplexer wrappers present a legitimate execution path that the system's validation logic does not adequately recognize or restrict, creating a window for attackers to craft commands that appear to match allowlist entries while actually executing unauthorized payloads.
The operational impact of this vulnerability extends beyond simple privilege escalation to encompass broader system compromise capabilities. Attackers can exploit this flaw by constructing command sequences that leverage recognized multiplexer wrappers to execute arbitrary code within the system's execution context. The vulnerability allows for the circumvention of security controls that are specifically designed to prevent unauthorized command execution, potentially enabling attackers to execute malicious payloads that would otherwise be blocked by the system's allowlist enforcement mechanisms. This creates a significant risk for environments where OpenClaw is deployed as a security control system, as it undermines the fundamental trust model that the allowlist mode is designed to maintain.
The security implications of this vulnerability align with CWE-787 which addresses out-of-bounds writes and improper input validation in security contexts. The flaw demonstrates how insufficient input validation can create bypass opportunities in security enforcement systems, particularly when dealing with shell command execution contexts. From an adversarial perspective, this vulnerability maps to several ATT&CK tactics including privilege escalation and defense evasion, as attackers can manipulate the system's trust model to execute unauthorized code while appearing to follow established security policies. The vulnerability also represents a failure in the principle of least privilege enforcement, where the system's ability to properly validate execution contexts has been compromised through inadequate consideration of multiplexer wrapper behaviors.
Mitigation strategies for this vulnerability require immediate attention through software updates to versions 2026.2.23 or later where the allowlist validation has been enhanced to properly recognize and restrict execution through multiplexer wrappers. Organizations should also implement additional monitoring and logging of command execution patterns to detect anomalous usage of multiplexer wrappers that might indicate exploitation attempts. The system configuration should be reviewed to ensure that only necessary multiplexer wrappers are present in execution paths, and that allowlist entries are carefully crafted to avoid patterns that could be exploited through wrapper-based bypass techniques. Additionally, security teams should consider implementing more robust command validation mechanisms that can properly distinguish between legitimate and malicious usage of shell execution contexts, particularly in environments where OpenClaw serves as a critical security control component.