CVE-2026-28363: Critical OpenClaw safeBins Bypass Enables Approval-Free Command Execution via GNU Option Abuse

Aegiron 9 mins0

OpenClaw safeBins Allowlist Bypass – Approval-Free Execution

CVE ID: CVE-2026-28363
Product: OpenClaw
Component: tools.exec.safeBins
Affected Versions: All versions prior to 2026.2.23
Fixed Version: 2026.2.23 and later
CVSS v3.1 Score: 9.9 (Critical)
Vector: AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Severity: Critical
Exploitability: High
Exploit Availability: No confirmed public weaponized exploit at the time of writing

Executive Summary

A critical security weakness was identified in OpenClaw’s tools.exec.safeBins validation logic. The mechanism responsible for enforcing command execution restrictions relied on direct string comparison when validating allowed and denied command options. Due to incomplete normalization of GNU-style long option abbreviations, it became possible to bypass the approval enforcement mechanism.

Under specific conditions, abbreviated command-line options were accepted by the underlying GNU argument parser but were not recognized by the allowlist filter. As a result, restricted execution paths could be triggered without the intended administrative approval.

This issue effectively allowed approval-free execution of certain command behaviors and created a pathway for remote command execution in environments where OpenClaw accepted user-controlled input to tools.exec.

Technical Root Cause

The vulnerability stemmed from improper input canonicalization.

OpenClaw attempted to block dangerous options by matching exact argument strings (for example, blocking --compress-program). However, GNU long options support unique prefix abbreviations. If a prefix uniquely identifies a long option, the GNU parser automatically expands it internally.

Example:

  • Full option: --compress-program
  • Abbreviated option: --compress-prog

The validation layer did not normalize or expand abbreviated options before performing allowlist checks. Because the abbreviated form did not exactly match the blocked string, it passed validation. Once handed to the underlying GNU tool (e.g., sort), it was interpreted as the full restricted option.

This mismatch between validation logic and actual command parsing behavior created the bypass condition.

Impact Assessment

If an attacker had the ability to supply arguments into a workflow that invoked tools.exec, the following impacts were possible:

  • Execution of restricted command options without approval
  • Invocation of external programs via command options
  • Potential arbitrary command execution
  • Privilege escalation depending on service account permissions
  • Lateral movement if OpenClaw had access to other internal systems
  • Data exfiltration or integrity compromise

The vulnerability was particularly severe in:

  • Multi-tenant AI orchestration environments
  • CI/CD pipelines invoking OpenClaw
  • Containerized deployments running with elevated privileges
  • Systems where tools.exec was exposed through API endpoints

Attack Scenarios

The issue could have been exploited under the following conditions:

  1. The attacker had access to submit input processed by tools.exec.
  2. The input allowed control over command-line arguments.
  3. The OpenClaw instance ran with sufficient privileges.

The attack chain would typically involve:

  • Supplying a crafted GNU long option abbreviation
  • Bypassing safeBins validation
  • Triggering execution of a restricted command behavior
  • Leveraging that execution for further compromise

No user interaction was required beyond supplying the crafted input.

Proof of Concept (Educational)

The following illustrates the bypass concept in a controlled lab environment.

Intended blocked command:

sort --compress-program=/bin/sh payload.txt

Bypass using abbreviation:

sort --compress-prog=/bin/sh payload.txt

If validation only blocked --compress-program exactly, the abbreviated form would pass through filtering but still be interpreted by GNU as the same dangerous option.

No automated exploit toolkit has been publicly confirmed at this time.

MITRE ATT&CK Mapping

  • T1059 – Command and Scripting Interpreter
  • T1202 – Indirect Command Execution
  • T1068 – Exploitation for Privilege Escalation
  • T1190 – Exploit Public-Facing Application

Detection Guidance

Detection should focus on identifying abnormal or abbreviated GNU long options executed by OpenClaw processes.

Log Sources

The following telemetry sources should be enabled:

  • Linux auditd (execve syscall logging)
  • Sysmon (Windows process creation events)
  • Container runtime logs (Docker, containerd)
  • Kubernetes audit logs
  • OpenClaw application debug logs
  • EDR process telemetry
  • SIEM process creation monitoring

Detection Queries

Splunk – Suspicious Abbreviated Option Usage

index=endpoint OR index=sysmon
(Image="*openclaw*" OR ParentImage="*openclaw*")
CommandLine="*sort*--compress-prog*"
| table _time, host, user, Image, ParentImage, CommandLine

Splunk – OpenClaw Spawning Shell

index=endpoint
ParentImage="*openclaw*"
(Image="*/bin/sh" OR Image="*/bin/bash" OR Image="*cmd.exe")
| table _time, host, user, ParentImage, Image, CommandLine

Elastic EQL – Abbreviated Option Detection

process where process.parent.name == "openclaw" and
process.command_line : "*--compress-prog*"

Elastic – Suspicious Child Process

process where process.parent.name == "openclaw" and
process.name in ("sh","bash","dash","cmd.exe","powershell.exe")

Linux auditd Rule

-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/sort -F key=openclaw_sort

Search logs for:

ausearch -k openclaw_sort | grep -- "--compress-prog"

Falco – Container Runtime Rule

- rule: OpenClaw Sort Abbreviation
  desc: Detect abbreviated dangerous GNU option
  condition: container and proc.name=sort and proc.args contains "--compress-prog"
  output: "Potential OpenClaw safeBins bypass (cmd=%proc.cmdline)"
  priority: CRITICAL

Indicators of Compromise

  • sort process executed with abbreviated long options
  • OpenClaw spawning shell interpreters
  • Unexpected child processes from OpenClaw
  • Missing approval log entries for executed commands
  • Outbound network connections from OpenClaw container after suspicious execution

Mitigation & Hardening

  1. Upgrade immediately.
  2. Enforce full argument normalization before validation.
  3. Reject all abbreviated long options unless explicitly permitted.
  4. Restrict execution privileges of the OpenClaw service account.
  5. Run OpenClaw inside least-privileged containers.
  6. Apply seccomp/AppArmor profiles limiting system calls.
  7. Enable full command-line logging.

Patch / Upgrade

All deployments must be upgraded to:

OpenClaw 2026.2.23 or later

Official release page:

https://github.com/openclaw/openclaw/releases/tag/v2026.2.23

Risk Evaluation

This vulnerability carries critical risk because:

  • It bypasses security control logic rather than exploiting memory corruption.
  • It requires minimal attacker sophistication.
  • It enables execution pathways not intended by administrators.
  • It can be exploited remotely where argument input is exposed.
  • It impacts confidentiality, integrity, and availability simultaneously.

Final Recommendation

Immediate patching is strongly advised. Detection rules should be deployed before and after patch rollout to identify potential historical abuse. Any suspicious executions originating from OpenClaw should be treated as high priority and investigated thoroughly.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.