GHSA-4685-c5cp-vp95: OpenClaw safeBins stdin-only bypass via sort output and recursive grep flags

February 19, 2026 (updated March 16, 2026)

tools.exec.safeBins could be bypassed for filesystem access when sort output flags (-o / --output) or recursive grep flags were allowed through safe-bin execution paths.

References

github.com/advisories/GHSA-4685-c5cp-vp95
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/2c05cbb43e48ebad03626d3125746fb1b9a8520f
github.com/openclaw/openclaw/security/advisories/GHSA-4685-c5cp-vp95

Code Behaviors & Features

Detect and mitigate GHSA-4685-c5cp-vp95 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →