GHSA-4564-pvr2-qq4h: OpenClaw: Prevent shell injection in macOS keychain credential write
Summary
The Claude CLI tool on macOS had a shell injection vulnerability (a security flaw where attackers can run arbitrary commands) in how it stored authentication tokens in the system keychain. The problem occurred because user-controlled OAuth tokens were directly inserted into shell commands without proper protection, allowing an attacker to break out of the intended command and execute malicious code.
Solution / Mitigation
Update to version 2026.2.14 or later. The fix avoids invoking a shell by using `execFileSync("security", argv)` and passing the updated keychain payload as a literal argument instead of constructing a shell command string.
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-4564-pvr2-qq4h
First tracked: February 18, 2026 at 03:00 PM
Classified by LLM (prompt v3) · confidence: 95%