Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-5u6m-gc2d-uuee

Summary

OpenClaw's exec allowlist wrapper analysis did not unwrap env/shell dispatch chains
`system.run` exec allowlist analysis treated wrapper binaries as the effective executable and did not fully unwrap `env`/shell-dispatch wrappers.

This allowed wrapper-smuggled payloads (for example `env bash -lc ...`) to satisfy an allowlist entry for the wrapper while executing non-allowlisted commands.

Aliases

alias	CVE-2026-27566

alias	GHSA-jj82-76v6-933r

Fixed_packages

url pkg:npm/openclaw@2026.2.22

purl pkg:npm/openclaw@2026.2.22

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1syh-9dme-bfdn

vulnerability	VCID-6k3m-6kjx-yfgn

vulnerability	VCID-bbm8-2r84-puh5

vulnerability	VCID-gq39-w2ua-3ua5

vulnerability	VCID-rawy-syu6-q7g2

vulnerability	VCID-usnj-f1tv-p7eh

vulnerability	VCID-vfsy-yqgt-4bfr

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.2.22

Affected_packages

References

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-27566

reference_id

reference_type

scores

value	0.00101
scoring_system	epss
scoring_elements	0.27501
published_at	2026-05-30T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-27566

reference_url

https://github.com/openclaw/openclaw

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/openclaw/openclaw

reference_url

https://github.com/openclaw/openclaw/commit/2b63592be57782c8946e521bc81286933f0f99c7

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

value	7.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

value	7.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T16:06:54Z/

url

https://github.com/openclaw/openclaw/commit/2b63592be57782c8946e521bc81286933f0f99c7

reference_url

https://www.vulncheck.com/advisories/openclaw-allowlist-bypass-via-wrapper-binary-unwrapping-in-system-run

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

value	7.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

value	7.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T16:06:54Z/

url

https://www.vulncheck.com/advisories/openclaw-allowlist-bypass-via-wrapper-binary-unwrapping-in-system-run

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-27566

reference_id

CVE-2026-27566

reference_type

scores

value	7.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-27566

reference_url

https://github.com/advisories/GHSA-jj82-76v6-933r

reference_id

GHSA-jj82-76v6-933r

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-jj82-76v6-933r

reference_url

https://github.com/openclaw/openclaw/security/advisories/GHSA-jj82-76v6-933r

reference_id

GHSA-jj82-76v6-933r

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	7.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

value	7.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-19T16:06:54Z/

url

https://github.com/openclaw/openclaw/security/advisories/GHSA-jj82-76v6-933r

Weaknesses

cwe_id	78
name	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
description	The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

cwe_id	863
name	Incorrect Authorization
description	The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

Exploits

Severity_range_score 7.0 - 8.9

Exploitability null

Weighted_severity null

Risk_score null

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5u6m-gc2d-uuee

Vulnerability Instance