CVE-2026-27487
Published: 21 February 2026
Summary
CVE-2026-27487 is a high-severity OS Command Injection (CWE-78) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 7.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-27487 is an OS command injection vulnerability (CWE-78) affecting OpenClaw, a personal AI assistant, in versions 2026.2.13 and prior. The issue arises specifically on macOS during the Claude CLI keychain credential refresh process, where the application constructs a shell command using the `security add-generic-password -w` utility to store an updated JSON blob containing OAuth tokens. Since these tokens are user-controlled, they enable injection of arbitrary commands into the shell execution.
The vulnerability has a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L), indicating exploitation over the network with low complexity, requiring low privileges and user interaction. A low-privileged user or attacker with network access can exploit it by supplying a malicious OAuth token—potentially via phishing or a compromised authentication flow—tricking the victim into triggering the credential refresh. Successful exploitation allows arbitrary command execution on the macOS host, resulting in high confidentiality and integrity impacts, such as data theft or system modification, with low availability disruption.
Mitigation is available in OpenClaw version 2026.2.14, as detailed in the project's GitHub release notes and related commits (e.g., 66d7178f2d6f9d60abad35797f97f3e61389b70c, 9dce3d8bf83f13c067bc3c32291643d2f1f10a06, b908388245764fb3586859f44d1dff5372b19caf) and pull request #15924, which address the insecure shell command construction. Security practitioners should urge users to update immediately and review macOS keychain access patterns in similar CLI tools handling user-controlled inputs.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7712
Vulnerability details
OpenClaw is a personal AI assistant. In versions 2026.2.13 and below, when using macOS, the Claude CLI keychain credential refresh path constructed a shell command to write the updated JSON blob into Keychain via security add-generic-password -w .... Because OAuth…
more
tokens are user-controlled data, this created an OS command injection risk. This issue has been fixed in version 2026.2.14.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Enterprise AI Assistants
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai, claude
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection (CWE-78) in macOS desktop app directly enables arbitrary Unix shell execution (T1059.004) via malicious OAuth token in credential refresh; maps to client-side code execution exploitation (T1203) given AV:N/PR:L/UI:R and high C/I impact.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of user-controlled OAuth tokens before insertion into shell commands, directly preventing the OS command injection vulnerability.
Ensures timely patching to OpenClaw version 2026.2.14, which fixes the insecure shell command construction during keychain credential refresh.
Facilitates vulnerability scanning to identify CVE-2026-27487 in deployed OpenClaw instances, enabling proactive remediation.