High severityNVD Advisory· Published Feb 21, 2026· Updated Feb 24, 2026
OpenClaw: Prevent shell injection in macOS keychain credential write
CVE-2026-27487
Description
OpenClaw is a personal AI assistant. In versions 2026.2.13 and below, when using macOS, the Claude CLI keychain credential refresh path constructed a shell command to write the updated JSON blob into Keychain via security add-generic-password -w .... Because OAuth tokens are user-controlled data, this created an OS command injection risk. This issue has been fixed in version 2026.2.14.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openclawnpm | < 2026.2.14 | 2026.2.14 |
Affected products
2Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-4564-pvr2-qq4hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-27487ghsaADVISORY
- github.com/openclaw/openclaw/commit/66d7178f2d6f9d60abad35797f97f3e61389b70cghsax_refsource_MISCWEB
- github.com/openclaw/openclaw/commit/9dce3d8bf83f13c067bc3c32291643d2f1f10a06ghsax_refsource_MISCWEB
- github.com/openclaw/openclaw/commit/b908388245764fb3586859f44d1dff5372b19cafghsax_refsource_MISCWEB
- github.com/openclaw/openclaw/pull/15924ghsax_refsource_MISCWEB
- github.com/openclaw/openclaw/releases/tag/v2026.2.14ghsax_refsource_MISCWEB
- github.com/openclaw/openclaw/security/advisories/GHSA-4564-pvr2-qq4hghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.