![[openclaw] OpenClaw's exec allow-always can be bypassed via unrecognized multiplexer shell wrappers (busybox/toybox sh -c)](/assets/images/github_com_1772501103916.png)
Security Advisories์ถ์ฒ: GitHub Security Advisories์กฐํ์ 1
[openclaw] OpenClaw's exec allow-always can be bypassed via unrecognized multiplexer shell wrappers (busybox/toybox sh -c)
By GitHub2026๋
3์ 3์ผ
**[openclaw] OpenClaw's exec allow-always can be bypassed via unrecognized multiplexer shell wrappers (busybox/toybox sh -c)**
Summary OpenClaw exec approvals could be bypassed in allowlist mode when allow-always was granted through unrecognized multiplexer shell wrappers (notably busybox sh -c and toybox sh -c). Affected Packages / Versions Package: openclaw (npm) Affected: <= 2026.2.22-2 Latest published vulnerable version at triage time: 2026.2.22-2 (checked on February 24, 2026) Fixed on main: yes Patched release: 2026.2.23 Details Wrapper analysis treated busybox/toybox invocations as non-wrapper commands in this path, so allow-always persisted the wrapper binary path instead of the inner executable. That allowed later arbitrary payloads under the same multiplexer wrapper to satisfy the stored allowlist rule. The fix hardens wrapper detection and persistence behavior for these multiplexer shell applets so approvals bind to intended inner executables and fail closed when unwrap safety is uncertain. Fix Commit(s) a67689a7e3ad494b6637c76235a664322d526f9e Release Process Note patched_versions is pre-set to the released version (2026.2.23)...
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ GitHub Security Advisories์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.
Summary OpenClaw exec approvals could be bypassed in allowlist mode when allow-always was granted through unrecognized multiplexer shell wrappers (notably busybox sh -c and toybox sh -c). Affected Packages / Versions Package: openclaw (npm) Affected: <= 2026.2.22-2 Latest published vulnerable version at triage time: 2026.2.22-2 (checked on February 24, 2026) Fixed on main: yes Patched release: 2026.2.23 Details Wrapper analysis treated busybox/toybox invocations as non-wrapper commands in this path, so allow-always persisted the wrapper binary path instead of the inner executable. That allowed later arbitrary payloads under the same multiplexer wrapper to satisfy the stored allowlist rule. The fix hardens wrapper detection and persistence behavior for these multiplexer shell applets so approvals bind to intended inner executables and fail closed when unwrap safety is uncertain. Fix Commit(s) a67689a7e3ad494b6637c76235a664322d526f9e Release Process Note patched_versions is pre-set to the released version (2026.2.23)...
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ GitHub Security Advisories์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.