GHSA-7f4q-9rqh-x36p: Execution Allowlist Bypass in OpenClaw macOS via Basename Matching

OpenClaw, an AI automation platform, includes an optional security feature on its macOS desktop client designed to restrict the commands an AI agent can execute. When enabled, the system.run allowlist mode forces the application to verify any requested command against a user-defined list of permitted executables. This feature is critical for sandboxing AI agents preventing them from executing arbitrary system commands or malware.

The vulnerability, identified as GHSA-7f4q-9rqh-x36p, resides in the implementation of this verification logic. Specifically, the application failed to distinguish between a specific system binary (e.g., /bin/echo) and any other binary sharing the same filename (e.g., ./echo). This ambiguity introduced a policy bypass where the intent of the allowlist—to restrict execution to trusted binaries—could be subverted by an attacker controlling the file structure or working directory.

By exploiting this flaw, an attacker or a hallucinating AI model could trigger the execution of untrusted code even when the allowlist mode was strictly enforced. The issue stems from the application's reliance on "basename" matching as a fallback mechanism when resolving command paths.

The root cause of this vulnerability lies in the ExecAllowlistMatcher class within the OpenClaw macOS source code. The logic was designed to match a requested command against the user's allowlist. The matcher first attempted to resolve the absolute path of the command being executed. However, it included a secondary fallback check intended to support legacy configurations where users might have simply entered a filename (like node) instead of a full path.

In the vulnerable version, if an allowlist entry did not explicitly contain path separators (such as /), the system treated it as a filename pattern. The ExecAllowlistMatcher would then compare this pattern against the resolution.executableName (the basename) of the binary being invoked. This comparison ignored the directory location of the target binary entirely.

Consequently, if echo was in the allowlist, the system would authorize /bin/echo (the intended target) but also accept /tmp/malicious/echo or ./echo. The logic prioritized the string match of the filename over the security context of the binary's location, creating a classic Uncontrolled Search Path Element (CWE-427) vulnerability.

The vulnerability was patched in commit dd41fadcaf58fd9deb963d6e163c56161e7b35dd by removing the insecure basename matching logic and enforcing strict path requirements. The following analysis highlights the critical changes in ExecAllowlistMatcher.swift.

Vulnerable Logic (Before Patch):

The original code accepted an execution if the executableName (basename) matched the pattern, disregarding the path.

// In ExecAllowlistMatcher.swift
func match(command: String, resolution: CommandResolution) -> AllowlistEntry? {
    // ... existing logic ...
    if pattern.contains("/") || pattern.contains("\\") {
         // Path-based matching (Correct)
    } else if self.matches(pattern: pattern, target: executableName) {
         // VULNERABLE: Matches any binary with this filename
         return entry
    }
}

Fixed Logic (After Patch):

The fix completely removes the basename fallback. It also introduces a helper isPathPattern to validate that allowlist entries are actual paths. The patch includes migration logic to convert legacy basename entries into their last known absolute paths.

// In ExecAllowlistMatcher.swift
 
// 1. New validation helper
private static func isPathPattern(_ pattern: String) -> Bool {
    pattern.contains("/") || pattern.contains("~") || pattern.contains("\\")
}
 
// 2. Updated matching logic
func match(command: String, resolution: CommandResolution) -> AllowlistEntry? {
    // ...
    // The insecure `else if` block matching `executableName` was removed entirely.
    
    // Only allows execution if the pattern is a path AND matches the resolved path
    if ExecAllowlistMatcher.isPathPattern(pattern) && 
       self.matches(pattern: pattern, target: resolution.executablePath) {
        return entry
    }
    return nil
}

Additionally, the SystemRunSettingsView.swift was updated to warn users against entering basename-only patterns, reinforcing the requirement for absolute paths in the UI.

To exploit this vulnerability, an attacker requires the ability to place a file on the victim's filesystem and the ability to trigger a command via the OpenClaw agent (often achievable via prompt injection or direct instruction if the attacker controls the inputs).

Step-by-Step Attack Flow:

1. Reconnaissance: The attacker identifies a command present in the target's allowlist. Common utilities like python, node, or echo are frequent candidates.
2. Staging: The attacker creates a malicious executable or script. They name this malicious file to match the identified allowed command (e.g., naming the malware node).
3. Placement: The malware is placed in a directory accessible to the OpenClaw agent, such as the current working directory or a temporary folder.
4. Execution: The attacker instructs the OpenClaw agent to execute the local binary (e.g., system.run(command: "./node")).
5. Bypass: The vulnerable ExecAllowlistMatcher extracts the basename node from ./node, compares it to the allowlist entry node, and finds a match. The execution is authorized, and the malicious code runs.

This technique is particularly effective because it requires no privileges to modify the allowlist itself; it only relies on the flawed comparison logic used to enforce it.

The impact of this vulnerability is high for users relying on the allowlist feature for security. The bypass effectively renders the allowlist useless against a knowledgeable attacker, degrading the security posture to that of a system with no execution restrictions.

Consequences:

• Arbitrary Code Execution: Attackers can execute unauthorized code with the privileges of the OpenClaw application.
• Sandbox Escape: The allowlist is the primary boundary preventing an AI agent from modifying system state. Bypassing this allows the agent (or an attacker controlling it) to access the network, read sensitive files, or install persistence mechanisms.
• Persistence: A malicious binary could be used to install launch agents or modify shell configurations, maintaining access even after the OpenClaw application is closed.

While the vulnerability is local, the vector often involves AI interaction, meaning an external prompt injection could trigger this local exploitation chain.