What is CVE-2026-44115?

A high-severity (CVSS 8.8) execution allowlist bypass vulnerability in OpenClaw that allows attackers to embed shell expansion tokens within unquoted heredoc bodies.

How does CVE-2026-44115 work?

Attackers craft heredoc input containing shell expansion tokens. These expand before the allowlist can analyze them, allowing unapproved commands to execute at runtime.

What is the fix for CVE-2026-44115?

Upgrade to OpenClaw v2026.4.22 or later where heredoc bodies are properly sanitized before allowlist evaluation.

← Back to dashboard

clawsmith.com/signal/cve-2026-44115-shell-expansion-bypass-safebins-heredoc

⚠ IssueWide OpenLive

CVE-2026-44115: OpenClaw Shell Expansion Bypass Lets Attackers Run Unapproved Commands via Heredoc

CVE-2026-44115 published May 6 2026 with CVSS 8.8. Execution allowlist bypass allowing attackers to embed shell expansion tokens within unquoted heredoc bodies, subverting safeBins controls. Fixed in v2026.4.22.

Product Idea from this Signal

A security service that auto-patches OpenClaw CVEs within hours of disclosure before attackers exploit them

460.5k ▲

OpenClaw shipped 9 CVEs in 4 days (March 2026) including a CVSS 9.9 privilege escalation affecting 135K+ exposed instances. Most operators have no way to know which CVEs affect their version, no automated patching, and no coordination between the flood of advisories (156+ total) and their actual attack surface. This tool continuously monitors CVE feeds, maps each advisory to your installed version and enabled features, and applies safe mitigations automatically while queuing risky patches for human approval.

SECURITYCLIDEVTOOLOPEN-SOURCESYSADMIN

CompetitiveView Opportunity →