GHSA-9Q2P-VC84-2RWM: GHSA-9Q2P-VC84-2RWM: Parser Differential Vulnerability in OpenClaw Security Allowlist

Source: Dev.to

Vulnerability Overview

• Vulnerability ID: GHSA-9Q2P-VC84-2RWM
• CVSS Score: 6.5
• Published: 2026-03-09
• CWE IDs: CWE‑115, CWE‑436
• Attack Vector: Contextual / Local
• Authentication: None (requires user interaction)
• Platform: POSIX (Linux, macOS)
• Exploit Status: Proof of Concept

A parser differential vulnerability exists in the OpenClaw system.run host tool. The security analysis engine fails to correctly parse POSIX shell comments, allowing attackers to bypass the allowlist via the allow‑always persistence mechanism.

Affected Versions

• OpenClaw versions prior to v2026.3.7 incorrectly parse shell comments during command analysis.
• Fixed in OpenClaw v2026.3.7.

Technical Details

• The vulnerability allows an attacker to append a malicious payload after a shell comment (#).
• The persistence engine interprets the entire line (including the comment) as trusted, permanently allowing the unauthorized payload without user consent.
• Affected components: system.run host tool on both Linux and macOS.

Fixes

• Upgrade OpenClaw to v2026.3.7 or later.
• Disable the allow‑always persistence feature in the system.run configuration.
• Audit the persistence database for entries containing shell‑commented payload tails.

Remediation Steps

1. Identify all instances of OpenClaw running in the environment.
2. Update the OpenClaw package to v2026.3.7 using the appropriate package manager.
3. Restart the OpenClaw service to load the new tokenization logic.
4. Review stored allowlist patterns for entries that contain suspicious commands trailing a # character.
5. Delete any malicious patterns from the persistence store.

References

• GitHub Advisory: GHSA-9Q2P-VC84-2RWM
• OpenClaw Security Advisory
• Fix Commit: 939b184
• OpenClaw Release: v2026.3.7

For the full report, including interactive diagrams and detailed exploit analysis, refer to the official advisory on the OpenClaw website.