GHSA-qm9x-v7cx-7rq4: OpenClaw's system.run allowlist can be bypassed through an unregistered time dispatch wrapper

March 26, 2026

Allow-always exec approvals did not unwrap /usr/bin/time, so an unregistered time wrapper could bypass executable binding and reuse approval state for the inner command.

References

github.com/advisories/GHSA-qm9x-v7cx-7rq4
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/39409b6a6dd4239deea682e626bac9ba547bfb14
github.com/openclaw/openclaw/security/advisories/GHSA-qm9x-v7cx-7rq4

Code Behaviors & Features

Detect and mitigate GHSA-qm9x-v7cx-7rq4 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →