GHSA-8mf7-vv8w-hjr2: OpenClaw's tools.exec.safeBins generic fallback allowed interpreter-style inline payload execution in allowlist mode

March 3, 2026

When tools.exec.safeBins contained a binary without an explicit safe-bin profile, OpenClaw used a permissive generic fallback profile. In allowlist mode, that could let interpreter-style binaries (for example python3, node, ruby) execute inline payloads via flags like -c.

This requires explicit operator configuration to add such binaries to safeBins, so impact is limited to non-default/misconfigured deployments.

References

github.com/advisories/GHSA-8mf7-vv8w-hjr2
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/47c3f742b6c488be26dd7b9636dbbb8676089154
github.com/openclaw/openclaw/security/advisories/GHSA-8mf7-vv8w-hjr2

Code Behaviors & Features

Detect and mitigate GHSA-8mf7-vv8w-hjr2 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →