⚠ Withdrawn by GitHub Security Advisories
Withdrawn: June 18, 2026
GHSA-g796-jqmx-wf9qMediumCVSS 6.6Disclosed before NVD
Duplicate Advisory: macOS Swift exec allowlist missed combined POSIX inline flags
📋 Description
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-c226-q6fx-6j6c. This link is maintained to preserve external references.
Original Description
OpenClaw before 2026.5.6 contains an allowlist bypass vulnerability in the macOS Swift exec feature that misses combined POSIX inline-command flags. Attackers can execute shell content outside the intended allowlist check by using combined flag forms, potentially allowing unauthorized command execution depending on operator configuration.
🎯 Affected products1
- npm/openclaw:<= 2026.5.5