CVE-2026-31992

### Summary In `allowlist` mode, `system.run` guardrails could be bypassed through `env -S`, causing policy-analysis/runtime-execution mismatch for shell wrapper payloads. ### Severity Rationale (Medium) This issue is rated **medium** because it is a guardrail/policy bypass in OpenClaw's trusted-operator model, not an authentication boundary break. - Authenticated Gateway callers are trusted operators by design. - `exec` approvals/allowlists are operator safety controls. - The bug still weakens expected safety behavior and can enable unintended command execution when untrusted content influences tool input. ### Affected Packages / Versions - Package: `openclaw` (npm) - Vulnerable versions: `<= 2026.2.22-2` - Patched versions: `>= 2026.2.23` Latest published npm version checked during triage: `2026.2.22-2`. ### Technical Impact When `/usr/bin/env` is allowlisted, `env -S 'sh -c ...'` could be treated as allowed non-wrapper argv while runtime still executes shell-wrapper semantics. ### Fix Commit(s) - `a1c4bf07c6baad3ef87a0e710fe9aef127b1f606` (core allowlist/runtime parity hardening) - `3f923e831364d83d0f23499ee49961de334cf58b` (explicit `env -S` regressions) ### Release Process Note `patched_versions` is pre-set to `>= 2026.2.23`, so this advisory is now public. OpenClaw thanks @tdjackey for reporting.

### Summary In `allowlist` mode, `system.run` guardrails could be bypassed through `env -S`, causing policy-analysis/runtime-execution mismatch for shell wrapper payloads. ### Severity Rationale (Medium) This issue is rated **medium** because it is a guardrail/policy bypass in OpenClaw's trusted-operator model, not an authentication boundary break. - Authenticated Gateway callers are trusted operators by design. - `exec` approvals/allowlists are operator safety controls. - The bug still weakens expected safety behavior and can enable unintended command execution when untrusted content influences tool input. ### Affected Packages / Versions - Package: `openclaw` (npm) - Vulnerable versions: `<= 2026.2.22-2` - Patched versions: `>= 2026.2.23` Latest published npm version checked during triage: `2026.2.22-2`. ### Technical Impact When `/usr/bin/env` is allowlisted, `env -S 'sh -c ...'` could be treated as allowed non-wrapper argv while runtime still executes shell-wrapper semantics. ### Fix Commit(s) - `a1c4bf07c6baad3ef87a0e710fe9aef127b1f606` (core allowlist/runtime parity hardening) - `3f923e831364d83d0f23499ee49961de334cf58b` (explicit `env -S` regressions) ### Release Process Note `patched_versions` is pre-set to `>= 2026.2.23`, so this advisory is now public. OpenClaw thanks @tdjackey for reporting.

Versiones de OpenClaw anteriores a la 2026.2.23 contienen una vulnerabilidad de omisión de lista de permitidos en las barreras de seguridad de system.run que permite a operadores autenticados ejecutar comandos no deseados. Cuando /usr/bin/env está en la lista de permitidos, los atacantes pueden usar env -S para omitir el análisis de políticas y ejecutar cargas útiles de envoltorio de shell en tiempo de ejecución.