Cyber Resilience

CVE-2026-27487

HighRCE

Published: 21 February 2026

Published
21 February 2026
Modified
23 February 2026
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L
EPSS Score 0.0002 7.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27487 is a high-severity OS Command Injection (CWE-78) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 7.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-27487 is an OS command injection vulnerability (CWE-78) affecting OpenClaw, a personal AI assistant, in versions 2026.2.13 and prior. The issue arises specifically on macOS during the Claude CLI keychain credential refresh process, where the application constructs a shell command using the `security add-generic-password -w` utility to store an updated JSON blob containing OAuth tokens. Since these tokens are user-controlled, they enable injection of arbitrary commands into the shell execution.

The vulnerability has a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L), indicating exploitation over the network with low complexity, requiring low privileges and user interaction. A low-privileged user or attacker with network access can exploit it by supplying a malicious OAuth token—potentially via phishing or a compromised authentication flow—tricking the victim into triggering the credential refresh. Successful exploitation allows arbitrary command execution on the macOS host, resulting in high confidentiality and integrity impacts, such as data theft or system modification, with low availability disruption.

Mitigation is available in OpenClaw version 2026.2.14, as detailed in the project's GitHub release notes and related commits (e.g., 66d7178f2d6f9d60abad35797f97f3e61389b70c, 9dce3d8bf83f13c067bc3c32291643d2f1f10a06, b908388245764fb3586859f44d1dff5372b19caf) and pull request #15924, which address the insecure shell command construction. Security practitioners should urge users to update immediately and review macOS keychain access patterns in similar CLI tools handling user-controlled inputs.

EU & UK References

Vulnerability details

OpenClaw is a personal AI assistant. In versions 2026.2.13 and below, when using macOS, the Claude CLI keychain credential refresh path constructed a shell command to write the updated JSON blob into Keychain via security add-generic-password -w .... Because OAuth…

more

tokens are user-controlled data, this created an OS command injection risk. This issue has been fixed in version 2026.2.14.

CWE(s)

AI Security AnalysisAI

AI Category
Enterprise AI Assistants
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai, claude

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

OS command injection (CWE-78) in macOS desktop app directly enables arbitrary Unix shell execution (T1059.004) via malicious OAuth token in credential refresh; maps to client-side code execution exploitation (T1203) given AV:N/PR:L/UI:R and high C/I impact.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-25157Same product: Apple Macos
CVE-2026-32016Same product: Apple Macos
CVE-2026-26323Same product: Openclaw Openclaw
CVE-2026-28460Same product: Openclaw Openclaw
CVE-2026-32010Same product: Openclaw Openclaw
CVE-2026-27566Same product: Openclaw Openclaw
CVE-2026-31996Same product: Openclaw Openclaw
CVE-2026-32056Same product: Openclaw Openclaw
CVE-2026-28463Same product: Openclaw Openclaw
CVE-2026-32003Same product: Openclaw Openclaw

Affected Assets

openclaw
openclaw
≤ 2026.2.14

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of user-controlled OAuth tokens before insertion into shell commands, directly preventing the OS command injection vulnerability.

prevent

Ensures timely patching to OpenClaw version 2026.2.14, which fixes the insecure shell command construction during keychain credential refresh.

detect

Facilitates vulnerability scanning to identify CVE-2026-27487 in deployed OpenClaw instances, enabling proactive remediation.

References