GHSA-5f9p-f3w2-fwch: OpenClaw macOS companion app (beta): allowlist parsing mismatch for system.run shell chains

March 2, 2026

In the macOS companion app (currently beta), a parsing mismatch in exec approvals could let shell-chain payloads pass allowlist checks in system.run under specific settings.

References

github.com/advisories/GHSA-5f9p-f3w2-fwch
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/5da03e622119fa012285cdb590fcf4264c965cb5
github.com/openclaw/openclaw/commit/e371da38aab99521c4e076cd3d95fd775e00b784
github.com/openclaw/openclaw/security/advisories/GHSA-5f9p-f3w2-fwch

Code Behaviors & Features

Detect and mitigate GHSA-5f9p-f3w2-fwch with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →