Skip to content
Threat Feed
high threat exploited

OpenClaw Exec Approval Truncation Vulnerability

A high-severity vulnerability in OpenClaw's exec approval feature (versions prior to 2026.5.18) allows an authenticated attacker to bypass approval integrity by crafting a long command that appears benign in the truncated UI but contains a malicious suffix, leading to unauthorized command execution.

A high-severity vulnerability has been identified in the OpenClaw application, specifically affecting its exec approval display in versions prior to 2026.5.18. This flaw allows for the truncation of commands presented to an approver within the user interface, while the full command, including any hidden suffixes, is retained for execution. An authenticated attacker can exploit this by submitting a crafted, oversized command where a benign prefix is visible in the UI, but a malicious suffix containing additional shell operations remains hidden. Upon approval, the complete, malicious command is executed. This issue fundamentally undermines the integrity of the approval process by misrepresenting the actual command to be run. While it does not grant unauthenticated access or alter OpenClaw's local-first trust model, it poses a significant risk in deployments where exec approval is enabled, allowing an attacker to effectively bypass human review for potentially dangerous commands.

Attack Chain

  1. An authenticated attacker crafts a malicious command that is intentionally long, containing a benign-looking prefix and a hidden, malicious suffix with additional shell operations (e.g., echo "legit_cmd_output"; malicious_command_here).
  2. The attacker initiates a pending host exec request within OpenClaw, submitting this crafted, oversized command.
  3. When the command is presented to an approver in the OpenClaw UI, the display truncation vulnerability causes only the benign prefix of the command to be visible.
  4. The approver, unaware of the hidden malicious suffix, reviews the truncated command and proceeds to authorize its execution.
  5. Upon successful approval, the OpenClaw system executes the full original command, including the hidden malicious suffix, on the target host.
  6. The malicious_command_here from the hidden suffix executes with the privileges of the OpenClaw agent on the target system, potentially leading to unauthorized actions such as data exfiltration, system modification, or further compromise.

Impact

The core impact of this vulnerability is a critical failure in the integrity of OpenClaw's exec approval mechanism. An approver, relying on the displayed command, could unknowingly authorize the execution of arbitrary and potentially malicious shell commands on a target system. This effectively bypasses a crucial security control designed to prevent unauthorized or unintended actions. While the advisory does not specify observed exploitation in the wild or provide victim counts, any organization utilizing OpenClaw with exec approval enabled and not running a patched version is vulnerable. The potential damage could range from data manipulation and service disruption to complete system compromise, depending on the nature of the hidden malicious command and the privileges granted to OpenClaw.

Recommendation

  • Upgrade to openclaw@2026.5.18 or later immediately to apply the patch for this vulnerability.
  • Prior to upgrading any systems running OpenClaw versions < 2026.5.18, refrain from approving unusually long exec commands to mitigate potential exploitation.
  • Ensure that OpenClaw exec approval capabilities are strictly limited to highly trusted operators who are aware of the truncation vulnerability.