GHSA-8MF7-VV8W-HJR2: Remote Code Execution via Insecure SafeBins Fallback in OpenClaw

OpenClaw is an AI agent framework that executes commands on a host system. To balance usability with security, it implements an approval mechanism for command execution. Operators can configure a safeBins allowlist, which permits specific binaries to execute without manual approval, provided they operate within defined constraints (typically as stdin filters like jq or grep).

The vulnerability exists in the implementation of this allowlist logic. When an operator adds a binary to tools.exec.safeBins but fails to define a corresponding security profile in tools.exec.safeBinProfiles, the system falls back to a default configuration known as SAFE_BIN_GENERIC_PROFILE. This generic profile was intended to provide broad compatibility but lacked the granular restrictions necessary to prevent abuse.

Specifically, the generic profile did not enforce a strict "deny-by-default" policy on command-line arguments. Consequently, if an interpreter binary (such as python3, node, ruby, or perl) was added to the safeBins list, the generic profile permitted the use of execution flags (like -c, -e, or -E). This allowed the AI agent—or an attacker controlling the agent's input—to construct commands that execute arbitrary code, bypassing the containment intended by the allowlist system.

The root cause of this vulnerability is a fail-open design flaw in the policy enforcement logic within src/infra/exec-approvals-allowlist.ts. The function isSafeBinUsage is responsible for validating whether a requested command execution conforms to the safety profiles.

Prior to the patch, the function resolved the security profile for a given binary using a nullish coalescing operator fallback:

const profile = safeBinProfiles[execName] ?? genericSafeBinProfile;

This logic dictated that if a specific profile was not found for execName, the system would automatically apply genericSafeBinProfile. The critical error was that genericSafeBinProfile was insufficiently restrictive. It essentially treated the binary as a "safe" tool without validating that the arguments passed to it were innocuous. It did not contain a blocklist for dangerous flags (e.g., -c for Python or -e for Node.js), nor did it restrict the binary to specific subcommands.

This architecture violated the principle of least privilege. By defaulting to a permissive state for unknown configurations, the system implicitly trusted any binary added to the safeBins list to be inherently safe, ignoring the fact that many standard system utilities (interpreters, shells, etc.) are dual-use and can execute arbitrary code if arguments are not strictly sanitized.

The vulnerability remediation focused on removing the unsafe fallback mechanism in src/infra/exec-approvals-allowlist.ts. The patch shifts the logic from "allow with generic profile" to "deny if no specific profile exists".

Vulnerable Code (Pre-Patch):

The original code automatically assigned a permissive generic profile if the specific binary was not found in the profiles map. This allowed execution to proceed with weak constraints.

// src/infra/exec-approvals-allowlist.ts
 
export function isSafeBinUsage(execName: string, args: string[]): boolean {
  // ... (validation logic)
  
  // DANGEROUS: Fallback to generic profile if specific profile is missing
  const profile = safeBinProfiles[execName] ?? genericSafeBinProfile;
  
  return validateProfile(profile, args);
}

Patched Code (Fixed):

The fix completely removes genericSafeBinProfile and changes the control flow to return false (deny) immediately if safeBinProfiles[execName] resolves to undefined.

// src/infra/exec-approvals-allowlist.ts
 
export function isSafeBinUsage(execName: string, args: string[]): boolean {
  // ... (validation logic)
  
  const profile = safeBinProfiles[execName];
  
  // SECURE: Deny-by-default if no specific profile is defined
  if (!profile) {
    return false;
  }
  
  return validateProfile(profile, args);
}

Additionally, in src/agents/bash-tools.exec.ts, the initialization logic was updated to scan the configuration at startup. It now warns the operator if any binary in safeBins lacks a corresponding profile, proactively identifying misconfigurations that would result in execution denials.

To exploit this vulnerability, an attacker must influence the OpenClaw agent's configuration or rely on an existing misconfiguration where an interpreter is present in safeBins. The attack does not require authentication if the attacker can feed prompts to the agent, as the agent itself performs the execution.

Prerequisites:

1. The target OpenClaw instance is running a version < 2026.2.23.
2. The operator has added a script interpreter (e.g., python3, node, ruby) to the safeBins list to facilitate legitimate agent tasks (e.g., "run this python script to calculate X").
3. No specific security profile was defined for this interpreter in safeBinProfiles.

Attack Steps:

1. Reconnaissance: The attacker (or malicious agent) determines that python3 is available and "safe" according to the agent's internal state.
2. Payload Construction: The attacker constructs a prompt asking the agent to execute a command that leverages the interpreter's inline execution flag.
   • Target Command: python3 -c "import os; os.system('cat /etc/passwd')"
3. Execution: The agent attempts to run the command. The isSafeBinUsage function checks safeBins, finds python3, and fails to find a specific profile.
4. Bypass: The system applies genericSafeBinProfile. Since the generic profile does not block -c, the command passes validation.
5. Compromise: The Python interpreter executes the inline code, dumping sensitive files or establishing a reverse shell back to the attacker.

The impact of this vulnerability is critical, rated at CVSS 9.8. It permits Remote Code Execution (RCE) with the privileges of the user running the OpenClaw agent. In many deployment scenarios, AI agents run with extensive access to file systems, network interfaces, and other local tools to perform their duties.

Confidentiality Impact: An attacker can read any file accessible to the agent process, including environment variables containing API keys, source code, and configuration files.

Integrity Impact: The attacker can modify files, install persistence mechanisms (such as cron jobs or backdoored binaries), and alter the behavior of the AI agent itself.

Availability Impact: The attacker can terminate processes, delete critical data, or crash the host system.

Because the vulnerability bypasses the primary security control (the execution approval workflow) designed to contain the agent's capabilities, it effectively breaks the security model of the application. The barrier between "safe" automated actions and "unsafe" manual actions is dissolved.

The primary remediation is to upgrade OpenClaw to version 2026.2.23 or later. This version enforces the deny-by-default logic and removes the unsafe generic fallback profile.

Immediate Mitigation Strategies: If an immediate upgrade is not feasible, operators must manually secure their configuration:

1. Audit safeBins: Review the tools.exec.safeBins list in your OpenClaw configuration.
2. Define Profiles: For every binary listed in safeBins, ensure a corresponding entry exists in tools.exec.safeBinProfiles.
3. Restrict Interpreters: Ideally, remove general-purpose interpreters (python, node, bash) from safeBins. If they are required, define strict profiles that explicitly deny execution flags.

   "python3": {
     "allowArgs": ["*.py"], 
     "denyArgs": ["-c", "-m", "-e"]
   }

4. Monitor Logs: Enable verbose logging to detect attempts to execute binaries with unexpected flags.