{"data":{"id":"1b9743cc-5842-43b6-a87c-fd769598385a","title":"GHSA-4564-pvr2-qq4h: OpenClaw: Prevent shell injection in macOS keychain credential write","summary":"The Claude CLI tool on macOS had a shell injection vulnerability (a security flaw where attackers can run arbitrary commands) in how it stored authentication tokens in the system keychain. The problem occurred because user-controlled OAuth tokens were directly inserted into shell commands without proper protection, allowing an attacker to break out of the intended command and execute malicious code.","solution":"Update to version 2026.2.14 or later. The fix avoids invoking a shell by using `execFileSync(\"security\", argv)` and passing the updated keychain payload as a literal argument instead of constructing a shell command string.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-4564-pvr2-qq4h","publishedAt":"2026-02-18T17:39:00.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":["openclaw@< 2026.2.14 (fixed: 2026.2.14)"],"affectedVendors":["Anthropic"],"affectedVendorsRaw":["Anthropic","Claude CLI","OpenClaw"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":null,"disclosureDate":null,"capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality"],"aiComponentTargeted":"api","llmSpecific":true,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}