ClawHosters
by Daniel Samer
3 min read
OpenClaw's system.run allowlist got broken three different ways in March 2026. The allowlist is supposed to block unapproved commands from running on your machine. It didn't. Three separate vulnerabilities, three different bypass techniques, one patch release.
All fixed in v2026.2.22. If you're on ClawHosters, you're already running a patched version.
What Happened
Security researchers found that OpenClaw's allowlist enforcement had blind spots. The allowlist checks which commands are approved before execution, but attackers found ways to slip past those checks entirely.
| CVE | CVSS | What It Does |
|---|---|---|
| CVE-2026-27566 | 7.1 (HIGH) | Wrapper chain depth exhaustion bypasses allowlist |
| CVE-2026-28460 | 5.9 (MEDIUM) | Shell line-continuation smuggles commands past static analysis |
| CVE-2026-29607 | 6.4 (MEDIUM) | Approve one command, execute anything via cached wrapper trust |
The worst one is CVE-2026-27566. CVSS 7.1, network-accessible, low privileges required, no user interaction needed. That's about as bad as it gets for a tool running on your local machine.
How the Bypasses Work
Each CVE targets the same subsystem but uses a different trick. The VulnCheck advisory for CVE-2026-29607 explains the wrapper persistence issue well: an attacker gets approval for a harmless wrapped command, then swaps in a malicious payload through the same trusted wrapper. OpenClaw cached trust at the wrapper level, not the inner command. Approve once, run anything.
CVE-2026-28460 is more clever. It abuses shell line-continuation characters to split a command substitution across lines, fooling OpenClaw's static analysis into seeing an allowlisted binary while the shell actually executes something else.
The Bigger Picture
These three CVEs are part of a larger pattern. Jerry Gamblin's OpenClaw CVE tracker now monitors over 156 advisories, only 28 of which have assigned CVE IDs. Cyera Research found 24,478 internet-connected OpenClaw instances via Shodan. Belgium's Centre for Cybersecurity has issued government-level patch advisories.
Windows users need a separate fix: the batch CVEs (CVE-2026-31990 through CVE-2026-32000) require v2026.3.2.
ClawHosters Customers: You're Patched
ClawHosters auto-updates all managed instances. Your instance is already running a version above v2026.2.22. You don't need to track 156 advisories manually. That's the point of managed hosting.
Self-hosting? Check your version and update. For a deeper look at OpenClaw's security posture, read our security hardening guide or the safety scanner post.
