Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in allow-always wrapper persistence that allows attackers to bypass approval checks by persisting wrapper-level allowlist entries instead of validating inner executable intent. Remote attackers can approve benign wrapped system.run commands and subsequently execute different payloads without approval, enabling remote code execution on gateway and node-host execution flows.
AnalysisAI
OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in its allow-always wrapper persistence mechanism that enables remote code execution. Attackers with high privileges and user interaction can approve benign wrapped system.run commands, then subsequently execute arbitrary different payloads without requiring additional approval, compromising both gateway and node-host execution environments. A patch is available from the vendor, and this vulnerability is tagged as enabling both RCE and command injection attacks.
Technical ContextAI
The vulnerability exists in OpenClaw's wrapper-level allowlist persistence logic, which is documented as part of the allow-always wrapper feature. The root cause is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), indicating that the system fails to properly validate the intent of inner executables when wrapper-level approvals are cached. Instead of validating each execution request against the actual payload being run, the system persists approval decisions at the wrapper level, allowing attackers to approve a benign command and then substitute a malicious payload that reuses the same wrapper context. This affects OpenClaw across all affected versions as identified by CPE cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*, and the flaw impacts both remote gateway execution flows and local node-host execution flows.
RemediationAI
Immediately upgrade OpenClaw to version 2026.2.22 or later, which includes the security patch addressing the wrapper persistence authorization bypass. The patch can be obtained from the official GitHub repository at https://github.com/openclaw/openclaw/commit/24c954d972400f508814532dea0e4dcb38418bb0. Until patching is completed, organizations should restrict high-privilege user access to OpenClaw approval workflows, enforce strict code review processes for wrapped system.run command approvals, and disable the allow-always wrapper feature if operationally feasible. Additionally, implement network segmentation to limit exposure of OpenClaw gateways and node hosts to trusted administrative networks only, and enable comprehensive audit logging of all wrapper approvals and command execution events to detect suspicious approval-then-execute patterns.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same weakness CWE-78 – OS Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13015
GHSA-6j27-pc5c-m8w8