CVE-2026-27487 HIGH

CVE-2026-27487: OpenClaw: Prevent shell injection in macOS keychain credential write

Vendor Openclaw
Product openclaw
Weakness CWE-78
Published February 21, 2026
Last update February 24, 2026

CVSS base score

7.6/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L

What the vulnerability does

01Description

OpenClaw is a personal AI assistant. In versions 2026.2.13 and below, when using macOS, the Claude CLI keychain credential refresh path constructed a shell command to write the updated JSON blob into Keychain via security add-generic-password -w .... Because OAuth tokens are user-controlled data, this created an OS command injection risk. This issue has been fixed in version 2026.2.14.

Key dates

02Disclosure timeline

February 21, 2026 CVE published
February 24, 2026 Record updated