Description

OpenClaw is a personal AI assistant. In versions 2026.2.13 and below, when using macOS, the Claude CLI keychain credential refresh path constructed a shell command to write the updated JSON blob into Keychain via security add-generic-password -w .... Because OAuth tokens are user-controlled data, this created an OS command injection risk. This issue has been fixed in version 2026.2.14.

INFO

Published Date :

2026-02-21T09:35:28.935Z

Last Modified :

2026-02-21T09:35:28.935Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-27487 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-27487.

URL Resource
https://github.com/openclaw/openclaw/commit/66d7178f2d6f9d60abad35797f97f3e61389b70c cve-icon cve-icon
https://github.com/openclaw/openclaw/commit/9dce3d8bf83f13c067bc3c32291643d2f1f10a06 cve-icon cve-icon
https://github.com/openclaw/openclaw/commit/b908388245764fb3586859f44d1dff5372b19caf cve-icon cve-icon
https://github.com/openclaw/openclaw/pull/15924 cve-icon cve-icon
https://github.com/openclaw/openclaw/releases/tag/v2026.2.14 cve-icon cve-icon
https://github.com/openclaw/openclaw/security/advisories/GHSA-4564-pvr2-qq4h cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact