⚠ Withdrawn by GitHub Security Advisories

Withdrawn: June 18, 2026

GHSA-wrr6-p5r6-474mLowCVSS 4.3Disclosed before NVD

Duplicate Advisory: Exec allowlist could miss side effects from transparent command wrappers

Published
June 16, 2026
Last Modified
June 18, 2026

📋 Description

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-cwpp-5962-q4f6. This link is maintained to preserve external references.

Original Description

OpenClaw before 2026.5.26 contains an exec allowlist bypass vulnerability allowing authenticated operators to execute wrapper-level side effects outside allowlisted command intent. Attackers can craft command requests that bypass allowlist validation by leveraging transparent command wrappers to perform unintended operations.

🎯 Affected products1

  • npm/openclaw:<= 2026.5.22

🔗 References (4)