Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8Blast Radius
ecosystem impact- 3 npm packages depend on openclaw (3 direct, 0 indirect)
Ecosystem-wide dependent count for version 2026.3.28.
DescriptionCVE.org
OpenClaw before 2026.3.28 contains an execution approval vulnerability in exec-approvals-allowlist.ts that allows allow-always persistence to trust wrapper carrier executables instead of invoked targets. Attackers can exploit positional carrier executable routing through dispatch wrappers to establish broader allowlist entries than intended, weakening execution approval boundaries.
AnalysisAI
Execution approval bypass in OpenClaw before 2026.3.28 allows local authenticated users with standard privileges to establish overly broad executable allowlist entries through wrapper carrier exploitation. Attackers leverage positional routing in dispatch wrappers to trust carrier executables instead of their invoked targets, escalating from limited execution approval to arbitrary code execution with high confidentiality and integrity impact. Vendor-released patch version 2026.3.28 addresses the flaw (GHSA-p4x4-2r7f-wjxg). No evidence of active exploitation or public POC identified at time of analysis.
Technical ContextAI
This vulnerability exploits a design flaw (CWE-807: Reliance on Untrusted Inputs in a Security Decision) in OpenClaw's execution approval mechanism, specifically in the exec-approvals-allowlist.ts module. The system implements allow-always persistence for executable approval, but incorrectly validates wrapper carrier executables rather than the final target binaries they invoke. When users approve execution through dispatch wrappers (common in script interpreters, shells, or launcher processes), the allowlist records the wrapper's path instead of the actual executable being launched. Subsequent invocations can exploit positional parameters to execute arbitrary payloads under the approved wrapper's trust context. This transforms granular per-executable approval into broad interpreter-level trust, effectively bypassing the security boundary the allowlist was designed to enforce. The CVSS:4.0 vector (AV:L/AC:L/PR:L/UI:P) indicates local attack surface with low complexity, requiring low privileges but user interaction to initially establish the malicious allowlist entry.
RemediationAI
Upgrade to OpenClaw version 2026.3.28 or later, which corrects the allowlist validation logic to trust invoked target executables rather than wrapper carriers (vendor advisory: https://github.com/openclaw/openclaw/security/advisories/GHSA-p4x4-2r7f-wjxg). For environments unable to patch immediately: disable the allow-always execution approval feature in exec-approvals-allowlist.ts configuration, requiring per-execution approval for all binaries (trade-off: increased user friction and approval fatigue). Alternatively, audit existing allowlist entries to remove generic wrapper executables (shells, script interpreters, launcher processes) and replace with specific target binary paths, though this requires manual inventory of approved executables and does not prevent future exploitation. Review audit logs for suspicious approval patterns involving wrapper executables followed by diverse child process invocations, which may indicate historical exploitation. Note that disabling allow-always approval impacts usability for legitimate recurring tasks and may require workflow adjustments.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26089
GHSA-p4x4-2r7f-wjxg