CVE-2026-28363: Remote Code Execution in OpenClaw via safeBins Validation Bypass

OpenClaw provides a safeBins feature designed to allow the execution of specific system binaries (such as sort, grep, and jq) while restricting dangerous arguments. This feature relies on a deny-list approach, where specific flags known to facilitate arbitrary code execution or filesystem manipulation are explicitly forbidden. For example, the sort utility has the --compress-program flag blocked because it allows the execution of external binaries.

The vulnerability arises from a logic error in how these restrictions are enforced. OpenClaw's validator checks for exact string matches against the deny list. However, standard GNU utilities use getopt_long for argument parsing, which automatically expands unique abbreviations of long options. This discrepancy allows an attacker to supply an abbreviated flag that the validator does not recognize but the underlying binary accepts and executes.

The root cause is an Incomplete List of Disallowed Inputs (CWE-184) combined with an argument parsing inconsistency. The vulnerability exists because the application attempts to filter input without normalizing it to the canonical form expected by the consumer (the system binary).

In src/infra/exec-safe-bin-policy.ts, the validation logic iterated through user-provided arguments and compared them strictly against a deniedFlags Set. If the user provided --compress-program, the check failed (correctly). However, if the user provided --compress-prog, the check passed because that specific string was not in the deny list. The underlying sort binary, however, treats --compress-prog as an alias for --compress-program due to getopt_long behavior, creating a bypass condition.

The vulnerable code relied on a direct look-up of the provided argument against a set of forbidden strings. It failed to account for the flexibility of command-line parsers.

// Vulnerable Logic (Simplified)
const deniedFlags = new Set(['--compress-program', '--output']);
 
function validate(args) {
  for (const arg of args) {
    // EXACT match check allows bypass via abbreviations
    if (deniedFlags.has(arg)) {
      throw new Error('Denied flag detected');
    }
  }
}

The fix, introduced in commit 3b8e33037ae2e12af7beb56fcf0346f1f8cbde6f, implements a canonicalization layer. Before validation occurs, the system now resolves all long options to their full names using a logic that mimics getopt_long.

// Patched Logic (Conceptual)
function validate(args) {
  for (const arg of args) {
    // 1. Canonicalize the argument (e.g., '--compress-p' -> '--compress-program')
    const canonical = resolveLongOption(arg, knownFlags);
    
    // 2. Validate the CANONICAL form
    if (deniedFlags.has(canonical)) {
      throw new Error('Denied flag detected');
    }
  }
}

This ensures that any valid abbreviation is expanded to its full form before the security check is applied. If the abbreviation is ambiguous (matches multiple flags), the patch correctly rejects the input.

Exploitation assumes the attacker has authenticated access to the OpenClaw API and that the tools.exec module is configured with sort as an allowed binary. The attacker sends a JSON payload to the execution endpoint, crafting the arguments to use the abbreviated flag.

1. Target Selection: Identify the sort binary in the safeBins configuration.
2. Payload Construction: Use --compress-prog (or any unique prefix like --compress-p) to define the external program sh. Pass the malicious command as an argument to sh.
3. Execution: The API validates the arguments, fails to find --compress-prog in the deny list, and spawns the process.

Proof of Concept:

{
    "tool": "exec",
    "args": {
        "cmd": "sort",
        "args": [
            "--compress-prog=sh -c 'id > /tmp/pwned'",
            "-o", 
            "/dev/null",
            "/dev/null"
        ]
    }
}

Upon execution, sort interprets the flag as --compress-program and invokes sh, executing the attacker's command.

This vulnerability is rated Critical (CVSS 9.9). Successful exploitation results in Remote Code Execution (RCE) with the privileges of the OpenClaw service account.

• Confidentiality: Attackers can read sensitive files, environment variables, and database credentials accessible to the application.
• Integrity: Attackers can modify application code, inject backdoors, or alter data stored on the filesystem.
• Availability: Attackers can terminate the process, delete essential files, or consume system resources (DoS).

The vulnerability is currently weaponized with public exploit scripts available, making immediate remediation essential for all exposed instances.

The primary mitigation is to upgrade OpenClaw to version 2026.2.23 or later. This version includes the patch that canonicalizes command-line arguments before validation.

If upgrading is not immediately possible, administrators should update their safeBins configuration to temporarily remove sort and any other binaries that support getopt_long style abbreviations and have known dangerous flags. Note that simply adding --compress-prog to the deny list is insufficient, as attackers can vary the abbreviation length (e.g., --compress-pro, --compress-p). Removing the binary from the allowed list is the only safe configuration workaround.