VYPR
High severityNVD Advisory· Published Feb 21, 2026· Updated Feb 24, 2026

OpenClaw: Prevent shell injection in macOS keychain credential write

CVE-2026-27487

Description

OpenClaw is a personal AI assistant. In versions 2026.2.13 and below, when using macOS, the Claude CLI keychain credential refresh path constructed a shell command to write the updated JSON blob into Keychain via security add-generic-password -w .... Because OAuth tokens are user-controlled data, this created an OS command injection risk. This issue has been fixed in version 2026.2.14.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
openclawnpm
< 2026.2.142026.2.14

Affected products

2

Patches

Vulnerability mechanics

References

8

News mentions

0

No linked articles in our index yet.