![[openclaw] OpenClaw's allow-always wrapper persistence could bypass future approvals and enable command execution](/assets/images/github_com_1772501106842.png)
Security Advisories์ถ์ฒ: GitHub Security Advisories์กฐํ์ 2
[openclaw] OpenClaw's allow-always wrapper persistence could bypass future approvals and enable command execution
By GitHub2026๋
3์ 3์ผ
**[openclaw] OpenClaw's allow-always wrapper persistence could bypass future approvals and enable command execution**
Summary In openclaw npm releases up to and including 2026.2.21-2, approving wrapped system.run commands with allow-always in security=allowlist mode could persist wrapper-level allowlist entries and enable later approval-bypass execution of different inner payloads. Affected Packages / Versions Package: openclaw (npm) Affected versions: <= 2026.2.21-2 Planned patched version: 2026.2.22 Details allow-always persistence was based on wrapper-level resolution instead of stable inner executable intent. A benign approved wrapper invocation could therefore broaden future trust boundaries. Affected paths included gateway and node-host execution approval persistence flows. The fix now persists inner executable paths for known dispatch-wrapper chains (env, nice, nohup, stdbuf, timeout) and fails closed when safe unwrapping cannot be derived...
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ GitHub Security Advisories์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.
Summary In openclaw npm releases up to and including 2026.2.21-2, approving wrapped system.run commands with allow-always in security=allowlist mode could persist wrapper-level allowlist entries and enable later approval-bypass execution of different inner payloads. Affected Packages / Versions Package: openclaw (npm) Affected versions: <= 2026.2.21-2 Planned patched version: 2026.2.22 Details allow-always persistence was based on wrapper-level resolution instead of stable inner executable intent. A benign approved wrapper invocation could therefore broaden future trust boundaries. Affected paths included gateway and node-host execution approval persistence flows. The fix now persists inner executable paths for known dispatch-wrapper chains (env, nice, nohup, stdbuf, timeout) and fails closed when safe unwrapping cannot be derived...
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ GitHub Security Advisories์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.