CVE-2026-27566: OpenClaw's exec allowlist wrapper analysis did not unwrap env/shell dispatch chains
(updated )
system.run exec allowlist analysis treated wrapper binaries as the effective executable and did not fully unwrap env/shell-dispatch wrappers.
This allowed wrapper-smuggled payloads (for example env bash -lc ...) to satisfy an allowlist entry for the wrapper while executing non-allowlisted commands.
References
- github.com/advisories/GHSA-jj82-76v6-933r
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/2b63592be57782c8946e521bc81286933f0f99c7
- github.com/openclaw/openclaw/security/advisories/GHSA-jj82-76v6-933r
- nvd.nist.gov/vuln/detail/CVE-2026-27566
- www.vulncheck.com/advisories/openclaw-allowlist-bypass-via-wrapper-binary-unwrapping-in-system-run
Code Behaviors & Features
Detect and mitigate CVE-2026-27566 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →