anonhaven
Ad

CVE-2026-27487

HIGH CVSS 3.1: 7.6 EPSS 0.03%
Updated Feb 21, 2026
Openclaw
Parameter Value
CVSS 7.6 (HIGH)
Fixed In 2026.2.14
Type CWE-78 (OS Command Injection)
Vendor Openclaw
Public PoC No

OpenClaw is a personal AI assistant. In versions 2026.2.13 and below, when using macOS, the Claude CLI keychain credential refresh path constructed a shell command to write the updated JSON blob into Keychain via security add-generic-password -w .... Because OAuth tokens are user-controlled data, this created an OS command injection risk.

This issue has been fixed in version 2026.2.14.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
Low
Basic privileges needed
User Interaction
Required
User action required

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
Low
Partial disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-78 OS Command Injection

References 6

https://github.com/openclaw/openclaw/commit/66d7178f2d6f9d60abad35797f97f3e6138…
security-advisories@github.com
https://github.com/openclaw/openclaw/commit/9dce3d8bf83f13c067bc3c32291643d2f1f…
security-advisories@github.com
https://github.com/openclaw/openclaw/commit/b908388245764fb3586859f44d1dff5372b…
security-advisories@github.com
https://github.com/openclaw/openclaw/pull/15924
security-advisories@github.com
https://github.com/openclaw/openclaw/releases/tag/v2026.2.14
security-advisories@github.com
https://github.com/openclaw/openclaw/security/advisories/GHSA-4564-pvr2-qq4h
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-32302

Openclaw

8.1

CVE-2026-27576

Openclaw

4.8

CVE-2026-27488

Openclaw

6.9

CVE-2026-27486

Openclaw

4.3

CVE-2026-27485

Openclaw

4.6