CVE-2026-22175
Published: 18 March 2026
Summary
CVE-2026-22175 is a high-severity Incomplete List of Disallowed Inputs (CWE-184) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 8.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and CM-10 (Software Usage Restrictions).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of the specific exec approval bypass flaw in OpenClaw, preventing exploitation via shell wrappers like busybox and toybox.
Mandates enforcement of deny-by-exception software execution restrictions, directly addressing the allowlist bypass that permits arbitrary payloads under unrecognized multiplexer wrappers.
Implements a reference monitor to mediate all execution access requests, countering the vulnerability's circumvention of stored allowlist rules through shell wrappers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Bypass of command allowlist via unrecognized shell wrappers (busybox/toybox sh -c) directly enables indirect Unix shell execution of arbitrary payloads.
NVD Description
OpenClaw versions prior to 2026.2.23 contain an exec approval bypass vulnerability in allowlist mode where allow-always grants could be circumvented through unrecognized multiplexer shell wrappers like busybox and toybox sh -c commands. Attackers can exploit this by invoking arbitrary payloads…
more
under the same multiplexer wrapper to satisfy stored allowlist rules, bypassing intended execution restrictions.
Deeper analysisAI
CVE-2026-22175 is an exec approval bypass vulnerability in OpenClaw versions prior to 2026.2.23. In allowlist mode, the flaw allows allow-always grants to be circumvented through unrecognized multiplexer shell wrappers, such as busybox and toybox sh -c commands. Attackers can invoke arbitrary payloads under these wrappers to satisfy stored allowlist rules, bypassing intended execution restrictions. The issue is classified as CWE-184 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N).
The vulnerability can be exploited by an attacker with low privileges (PR:L) over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). By crafting commands that leverage the multiplexer wrappers, the attacker bypasses allowlist checks, enabling execution of unauthorized payloads. This results in high confidentiality impact (C:H), such as potential access to sensitive data, and low integrity impact (I:L), with no availability disruption (A:N).
Mitigation is provided in OpenClaw version 2026.2.23. Patch details are available in the GitHub commit at https://github.com/openclaw/openclaw/commit/a67689a7e3ad494b6637c76235a664322d526f9e. Additional guidance appears in the GitHub security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-gwqp-86q6-w47g and the VulnCheck advisory at https://www.vulncheck.com/advisories/openclaw-exec-approval-bypass-via-unrecognized-multiplexer-shell-wrappers.
Details
- CWE(s)