OpenClaw safeBins grep -e File Read Bypass (stdin-only policy bypass)

Summary

OpenClaw tools.exec.safeBins had a stdin-only policy bypass for grep.
If pattern input was supplied through -e / --regexp, the validator consumed the pattern as a flag value and still allowed one positional operand. That positional could be a bare filename like .env.

Affected Packages / Versions

• Package: openclaw (npm)
• Latest published vulnerable version: 2026.2.19-2
• Structured vulnerable range: <= 2026.2.19-2
• Planned fixed range for next release: >= 2026.2.21

Exploit Preconditions

• tools.exec.safeBins must include grep (this is opt-in; grep is not in the default safe-bin list).
• An actor must be able to invoke exec tooling under that profile.

Technical Details

src/infra/exec-safe-bin-policy.ts configured grep with maxPositional: 1 and allowed -e / --regexp value flags.
Because -e consumes the pattern in flag-value position, the remaining positional budget could be used for a file operand.
Example accepted input in vulnerable builds:

grep -e SECRET .env

That violated the intended stdin-only guarantee for safe bins.

Impact

With grep opt-in enabled, callers could read bare-relative files from the working directory (for example .env, credentials.txt) in flows expected to be stdin-only.

Severity Rationale

CVSS v3.1 is set to:
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N (5.3, Medium)

AC:H is used because exploitation depends on a non-default configuration (grep must be explicitly added to safe bins) in addition to normal low-privilege tool-invocation capability.

Fix Commit(s)

• c6ee14d60e4cbd6a82f9b2d74ebeb1e8ee814964

Release Process Note

patched_versions is pre-set to >= 2026.2.21 so this advisory is ready to publish after the 2026.2.21 npm release is live.

OpenClaw thanks @athuljayaram for reporting.