CVE-2026-22175

OpenClaw versions prior to 2026.2.23 contain an exec approval bypass vulnerability in allowlist mode where allow-always grants could be circumvented through unrecognized multiplexer shell wrappers like busybox and toybox sh -c commands. Attackers can exploit this by invoking arbitrary payloads under the same multiplexer wrapper to satisfy stored allowlist rules, bypassing intended execution restrictions.

OpenClaw versions prior to 2026.2.23 contain an exec approval bypass vulnerability in allowlist mode where allow-always grants could be circumvented through unrecognized multiplexer shell wrappers like busybox and toybox sh -c commands. Attackers can exploit this by invoking arbitrary payloads under the same multiplexer wrapper to satisfy stored allowlist rules, bypassing intended execution restrictions.

### Summary OpenClaw exec approvals could be bypassed in `allowlist` mode when `allow-always` was granted through unrecognized multiplexer shell wrappers (notably `busybox sh -c` and `toybox sh -c`). ### Affected Packages / Versions - Package: `openclaw` (npm) - Affected: `<= 2026.2.22-2` - Latest published vulnerable version at triage time: `2026.2.22-2` (checked on February 24, 2026) - Fixed on `main`: yes - Patched release: `2026.2.23` ### Details Wrapper analysis treated `busybox`/`toybox` invocations as non-wrapper commands in this path, so `allow-always` persisted the wrapper binary path instead of the inner executable. That allowed later arbitrary payloads under the same multiplexer wrapper to satisfy the stored allowlist rule. The fix hardens wrapper detection and persistence behavior for these multiplexer shell applets so approvals bind to intended inner executables and fail closed when unwrap safety is uncertain. ### Fix Commit(s) - `a67689a7e3ad494b6637c76235a664322d526f9e` ### Release Process Note `patched_versions` is pre-set to the released version (`2026.2.23`). This advisory now reflects released fix version `2026.2.23`. OpenClaw thanks @jiseoung for reporting.

### Summary OpenClaw exec approvals could be bypassed in `allowlist` mode when `allow-always` was granted through unrecognized multiplexer shell wrappers (notably `busybox sh -c` and `toybox sh -c`). ### Affected Packages / Versions - Package: `openclaw` (npm) - Affected: `<= 2026.2.22-2` - Latest published vulnerable version at triage time: `2026.2.22-2` (checked on February 24, 2026) - Fixed on `main`: yes - Patched release: `2026.2.23` ### Details Wrapper analysis treated `busybox`/`toybox` invocations as non-wrapper commands in this path, so `allow-always` persisted the wrapper binary path instead of the inner executable. That allowed later arbitrary payloads under the same multiplexer wrapper to satisfy the stored allowlist rule. The fix hardens wrapper detection and persistence behavior for these multiplexer shell applets so approvals bind to intended inner executables and fail closed when unwrap safety is uncertain. ### Fix Commit(s) - `a67689a7e3ad494b6637c76235a664322d526f9e` ### Release Process Note `patched_versions` is pre-set to the released version (`2026.2.23`). This advisory now reflects released fix version `2026.2.23`. OpenClaw thanks @jiseoung for reporting.

Versiones de OpenClaw anteriores a 2026.2.23 contienen una vulnerabilidad de omisión de aprobación de ejecución en modo de lista de permitidos donde las concesiones de 'permitir siempre' podrían ser eludidas a través de envoltorios de shell de multiplexor no reconocidos como los comandos 'sh -c' de busybox y toybox. Los atacantes pueden explotar esto invocando cargas útiles arbitrarias bajo el mismo envoltorio de multiplexor para satisfacer las reglas de lista de permitidos almacenadas, omitiendo las restricciones de ejecución previstas.