⚠ Withdrawn by GitHub Security Advisories
Withdrawn: June 18, 2026
GHSA-wrr6-p5r6-474mLowCVSS 4.3Disclosed before NVD
Duplicate Advisory: Exec allowlist could miss side effects from transparent command wrappers
📋 Description
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-cwpp-5962-q4f6. This link is maintained to preserve external references.
Original Description
OpenClaw before 2026.5.26 contains an exec allowlist bypass vulnerability allowing authenticated operators to execute wrapper-level side effects outside allowlisted command intent. Attackers can craft command requests that bypass allowlist validation by leveraging transparent command wrappers to perform unintended operations.
🎯 Affected products1
- npm/openclaw:<= 2026.5.22