Vulnerability Details CVE-2026-22175
OpenClaw versions prior to 2026.2.23 contain an exec approval bypass vulnerability in allowlist mode where allow-always grants could be circumvented through unrecognized multiplexer shell wrappers like busybox and toybox sh -c commands. Attackers can exploit this by invoking arbitrary payloads under the same multiplexer wrapper to satisfy stored allowlist rules, bypassing intended execution restrictions.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 15.8%
CVSS Severity
CVSS v3 Score 7.1
References
Products affected by CVE-2026-22175
-
cpe:2.3:a:openclaw:openclaw:0.1.0
-
cpe:2.3:a:openclaw:openclaw:0.1.1
-
cpe:2.3:a:openclaw:openclaw:0.1.2
-
cpe:2.3:a:openclaw:openclaw:0.1.3
-
cpe:2.3:a:openclaw:openclaw:1.0.4
-
cpe:2.3:a:openclaw:openclaw:1.1.0
-
cpe:2.3:a:openclaw:openclaw:1.2.0
-
cpe:2.3:a:openclaw:openclaw:1.2.1
-
cpe:2.3:a:openclaw:openclaw:1.2.2
-
cpe:2.3:a:openclaw:openclaw:1.3.0
-
cpe:2.3:a:openclaw:openclaw:2.0.0
-
cpe:2.3:a:openclaw:openclaw:2026.1.10
-
cpe:2.3:a:openclaw:openclaw:2026.1.11
-
cpe:2.3:a:openclaw:openclaw:2026.1.11-1
-
cpe:2.3:a:openclaw:openclaw:2026.1.11-2
-
cpe:2.3:a:openclaw:openclaw:2026.1.11-3
-
cpe:2.3:a:openclaw:openclaw:2026.1.12
-
cpe:2.3:a:openclaw:openclaw:2026.1.12-2
-
cpe:2.3:a:openclaw:openclaw:2026.1.13
-
cpe:2.3:a:openclaw:openclaw:2026.1.14-1
-
cpe:2.3:a:openclaw:openclaw:2026.1.15
-
cpe:2.3:a:openclaw:openclaw:2026.1.16-2
-
cpe:2.3:a:openclaw:openclaw:2026.1.20
-
cpe:2.3:a:openclaw:openclaw:2026.1.21
-
cpe:2.3:a:openclaw:openclaw:2026.1.22
-
cpe:2.3:a:openclaw:openclaw:2026.1.23
-
cpe:2.3:a:openclaw:openclaw:2026.1.24
-
cpe:2.3:a:openclaw:openclaw:2026.1.24-1
-
cpe:2.3:a:openclaw:openclaw:2026.1.29
-
cpe:2.3:a:openclaw:openclaw:2026.1.30
-
cpe:2.3:a:openclaw:openclaw:2026.1.5
-
cpe:2.3:a:openclaw:openclaw:2026.1.5-1
-
cpe:2.3:a:openclaw:openclaw:2026.1.5-2
-
cpe:2.3:a:openclaw:openclaw:2026.1.5-3
-
cpe:2.3:a:openclaw:openclaw:2026.1.8
-
cpe:2.3:a:openclaw:openclaw:2026.1.9
-
cpe:2.3:a:openclaw:openclaw:2026.2.1
-
cpe:2.3:a:openclaw:openclaw:2026.2.12
-
cpe:2.3:a:openclaw:openclaw:2026.2.13
-
cpe:2.3:a:openclaw:openclaw:2026.2.14
-
cpe:2.3:a:openclaw:openclaw:2026.2.15
-
cpe:2.3:a:openclaw:openclaw:2026.2.17
-
cpe:2.3:a:openclaw:openclaw:2026.2.19
-
cpe:2.3:a:openclaw:openclaw:2026.2.2
-
cpe:2.3:a:openclaw:openclaw:2026.2.3
-
cpe:2.3:a:openclaw:openclaw:2026.2.6
-
cpe:2.3:a:openclaw:openclaw:2026.2.6-1
-
cpe:2.3:a:openclaw:openclaw:2026.2.6-2
-
cpe:2.3:a:openclaw:openclaw:2026.2.6-3
-
cpe:2.3:a:openclaw:openclaw:2026.2.9