CVE-2026-27487: OpenClaw CLI Command Injection Flaw Enables Local System Compromise on macOS

Aegiron 9 mins0

CVE-2026-27487

Product: OpenClaw CLI (macOS keychain integration)
Vulnerability Type: OS Command Injection (CWE-78)
CVSS v3.1 Score: 7.6 (High)
Severity: High
Attack Vector: Local
Privileges Required: Low (local user context)
User Interaction: Not required once vulnerable code path is triggered
Impact: Arbitrary command execution in the context of the logged-in user
Exploit Availability: No verified public exploit released at the time of writing
Patch Available: Yes (upgrade required)

Overview

A command injection vulnerability was identified in OpenClaw CLI affecting macOS systems. The issue exists in the credential refresh mechanism where OAuth token data is written into the macOS Keychain using the native security utility.

Improper handling of externally influenced input allowed token data to be passed into a shell command without strict neutralization of special characters. Because the command was executed through a shell interpreter, crafted input containing shell metacharacters could result in unintended command execution.

The vulnerability affects versions 2026.2.13 and earlier and has been fixed in 2026.2.14.

Technical Root Cause

During OAuth token refresh, a command was constructed to store credentials using:

security add-generic-password -w <token_data>

Instead of passing arguments safely as a structured array to the security binary, token data was interpolated into a shell command string. If token content contained shell control characters such as:

;  &&  |  `  $()  >  <

the shell could interpret them as additional commands.

The issue was remediated by removing shell execution and replacing it with a secure process invocation method that passes arguments directly to the binary without interpretation.

Affected Versions

  • OpenClaw CLI ≤ 2026.2.13 (macOS builds)
  • Fixed in: 2026.2.14

Impact Assessment

If exploited successfully, the following impacts are possible:

  • Execution of arbitrary OS commands
  • Access to user files and SSH keys
  • Credential theft
  • Installation of persistence mechanisms
  • Modification of development environments
  • Data exfiltration
  • Lateral movement within development infrastructure

Because execution occurs in user context, full system compromise depends on user privileges. On developer machines with elevated rights, the blast radius may be significant.

Exploitation Scenario (Educational)

For exploitation to occur, an attacker would need control over the OAuth token value or related input that reaches the vulnerable keychain write function.

Potential attack paths include:

  1. Malicious OAuth provider response manipulation
  2. Compromised development environment
  3. Supply chain compromise injecting crafted token content
  4. Local adversary with ability to modify token storage before refresh

If malicious payload characters are embedded in the token and passed into the shell command, command chaining becomes possible.

No verified public proof-of-concept exploit has been released. However, the vulnerability class is well understood and exploitation would not be technically complex if input control is achieved.

MITRE ATT&CK Mapping

CWE: CWE-78 – OS Command Injection

ATT&CK Techniques:

  • T1059 – Command and Scripting Interpreter
  • T1552 – Unsecured Credentials
  • T1547 – Boot or Logon Autostart Execution (if persistence established)
  • T1105 – Ingress Tool Transfer

Indicators of Compromise

Indicators may include:

  • Unusual execution of /usr/bin/security with long or irregular argument strings
  • Child processes spawned immediately after security execution
  • Network connections initiated shortly after credential refresh
  • Unexpected file writes in user directories
  • Creation of new launch agents or cron entries

Detection Guidance

Log Sources to Monitor

  • macOS Unified Logging
  • Endpoint Detection & Response (process creation telemetry)
  • Auditd process execution logs
  • osquery process table
  • Developer workstation monitoring systems
  • CI/CD execution logs (if CLI used in automation)

Detection Queries

Splunk Query

index=endpoint process_name="security"
process_args="*add-generic-password*"
| where parent_process_name="openclaw" OR parent_process_name="claude"
| eval suspicious_chars=match(process_args, "[;&|`$<>]")
| where suspicious_chars=1 OR len(process_args) > 150

Elastic EQL Query

process where process.name == "security" 
  and process.args : "*add-generic-password*" 
  and process.parent.name in ("openclaw","claude")
  and (stringlength(process.command_line) > 150 
       or process.command_line regex ".*[;&|`$<>].*")

Microsoft Sentinel (KQL)

DeviceProcessEvents
| where FileName == "security"
| where ProcessCommandLine contains "add-generic-password"
| where InitiatingProcessFileName in ("openclaw","claude")
| extend SuspiciousChars = iff(ProcessCommandLine matches regex "[;&|`$<>]", 1, 0)
| where SuspiciousChars == 1 or strlen(ProcessCommandLine) > 150

osquery Hunt Query

SELECT pid, name, cmdline, parent, datetime(start_time, 'unixepoch')
FROM processes
WHERE name='security'
AND cmdline LIKE '%add-generic-password%'
AND parent IN (
  SELECT pid FROM processes 
  WHERE name LIKE '%openclaw%' OR name LIKE '%claude%'
);

Behavioral Detection Strategy

  • Alert on parent-child relationship: openclawsecurity
  • Monitor abnormal argument length for keychain write operations
  • Correlate with outbound network activity within 60 seconds of execution
  • Monitor for creation of launch agents in: ~/Library/LaunchAgents/
    /Library/LaunchAgents/
  • Watch for suspicious file modifications in user home directory

Forensic Investigation Steps

  1. Identify affected OpenClaw versions.
  2. Extract process execution history.
  3. Review command-line arguments of security invocations.
  4. Check for unusual child processes.
  5. Review Keychain entries created during suspected time window.
  6. Inspect persistence locations.
  7. Rotate exposed OAuth tokens and API keys.

Remediation

Immediate upgrade to the patched version is required.

Official Patch / Upgrade Link:

https://github.com/openclaw/openclaw/releases

Upgrade to version 2026.2.14 or later.

Post-Remediation Actions

  • Rotate all OAuth tokens
  • Reset developer credentials if exposure suspected
  • Validate integrity of development systems
  • Enable strict endpoint logging
  • Consider restricting shell execution for CLI tools where feasible

Risk Summary

This vulnerability represents a classic command injection flaw with high impact in developer environments. Although exploitation requires control of token input, environments with CI/CD pipelines or automated authentication flows may present realistic exposure paths.

The vulnerability has been resolved in the latest release. Systems running outdated versions should be considered at risk until upgraded and validated.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.