GHSA-9Q2P-VC84-2RWM: GHSA-9Q2P-VC84-2RWM: Parser Differential Vulnerability in OpenClaw Security Allowlist

GHSA-9Q2P-VC84-2RWM: Parser Differential Vulnerability in OpenClaw Security Allowlist Vulnerability ID: GHSA-9Q2P-VC84-2RWM CVSS Score: 6.5 Published: 2026-03-09 A parser differential vulnerability exists in the OpenClaw AI assistant system.run host tool. The security analysis engine fails to correctly parse POSIX shell comments, allowing attackers to bypass the allowlist via the allow-always persistence mechanism. TL;DR OpenClaw versions prior to v2026.3.7 incorrectly parse shell comments during command analysis. This allows an attacker to append a malicious payload behind a shell comment, deceiving the persistence engine into permanently trusting the unauthorized payload without user consent. ⚠️ Exploit Status: POC Technical Details CWE ID : CWE-115 / CWE-436 Attack Vector : Contextual/Local Authentication : None (Requires User Interaction) Platform : POSIX (Linux, macOS) Exploit Status : Proof of Concept Patch Version : v2026.3.7 Affected Systems OpenClaw system.run host tool (Linux