js · openclawCritical
OpenClaw exec allowlist bypasses argPattern on Linux/macOS
OpenClaw's exec allowlist on Linux and macOS skipped argPattern checks, allowing disallowed arguments for allowlisted executables when tools.
What changed
OpenClaw's exec allowlist on Linux and macOS skipped argPattern checks, allowing disallowed arguments for allowlisted executables when tools.exec.security was set to allowlist.
Who it affects
OpenClaw gateway deployments on Linux or macOS with exec configured as allowlist and at least one allowlist entry using argPattern.
What to do today
Upgrade to [email protected] or later and review allowlist entries that combine executable path with argPattern, especially for interpreter-like tools.
The trail
Collected→
Audited→
Written→
Published