CVE-2026-31993: OpenClaw macOS companion app (beta): allowlist parsing mismatch for system.run shell chains
(updated )
In the macOS companion app (currently beta), a parsing mismatch in exec approvals could let shell-chain payloads pass allowlist checks in system.run under specific settings.
References
- github.com/advisories/GHSA-5f9p-f3w2-fwch
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/5da03e622119fa012285cdb590fcf4264c965cb5
- github.com/openclaw/openclaw/commit/e371da38aab99521c4e076cd3d95fd775e00b784
- github.com/openclaw/openclaw/security/advisories/GHSA-5f9p-f3w2-fwch
- nvd.nist.gov/vuln/detail/CVE-2026-31993
- www.vulncheck.com/advisories/openclaw-allowlist-parsing-mismatch-in-system-run-shell-chains
Code Behaviors & Features
Detect and mitigate CVE-2026-31993 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →