HIGHCVE-2026-44115Published 2026-05-06Modified 2026-05-07CNA VulnCheck

CVE-2026-44115: OpenClaw < 2026.4.22 - Shell Expansion Bypass in Unquoted Heredocs via Exec Allowlist

OpenClaw before 2026.4.22 contains an exec allowlist analysis vulnerability allowing shell expansion hiding in unquoted heredoc bodies. Attackers can bypass allowlist validation by embedding shell expansion tokens in heredoc bodies to execute unapproved commands at runtime.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: 2026.4.22
Affected Products: 1

Fix available

2026.4.22

Patch commits

Patch Commit

Affected packages

OpenClaw / OpenClaw
< 2026.4.22 (from 0)
Fixed in 2026.4.22

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

GitHub Security Advisory (GHSA-x3h8-jrgh-p8jx)
Patch Commit
VulnCheck Advisory: OpenClaw < 2026.4.22 - Shell Expansion Bypass in Unquoted Heredocs via Exec Allowlist

Metrics

Fix available