GHSA-jj82-76v6-933r: OpenClaw's exec allowlist wrapper analysis did not unwrap env/shell dispatch chains

March 3, 2026

system.run exec allowlist analysis treated wrapper binaries as the effective executable and did not fully unwrap env/shell-dispatch wrappers.

This allowed wrapper-smuggled payloads (for example env bash -lc ...) to satisfy an allowlist entry for the wrapper while executing non-allowlisted commands.

References

github.com/advisories/GHSA-jj82-76v6-933r
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/2b63592be57782c8946e521bc81286933f0f99c7
github.com/openclaw/openclaw/security/advisories/GHSA-jj82-76v6-933r

Code Behaviors & Features

Detect and mitigate GHSA-jj82-76v6-933r with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →