Description
OpenClaw versions prior to 2026.3.7 contain a shell approval gating bypass vulnerability in system.run dispatch-wrapper handling that allows attackers to skip shell wrapper approval requirements. The approval classifier and execution planner apply different depth-boundary rules, permitting exactly four transparent dispatch wrappers like repeated env invocations before /bin/sh -c to bypass security=allowlist approval gating by misaligning classification with execution planning.
Published: 2026-03-23
Score: 2.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: Approval Bypass via Dispatch Wrapper Depth Mismatch
Action: Patch Now
AI Analysis

Impact

OpenClaw versions before 2026.3.7 allow a shell approval gating bypass when system.run uses a dispatch wrapper. The bypass relies on a depth‑boundary mismatch between the approval classifier and the execution planner, letting an attacker supply exactly four dispatch wrappers that are erroneously classified as safe before invoking \/bin\sh -c. The attacker can therefore execute arbitrary shell commands without being subject to the configured approval allowlist, leading to elevated privileges or unwanted command execution.

Affected Systems

All OpenClaw installations running a version earlier than 2026.3.7 on a Node.js runtime are affected. This applies to any deployment that uses the system.run interface or calls into the dispatch wrapper logic.

Risk and Exploitability

The CVSS score of 2.1 indicates a low overall risk, and the EPSS score is below 1%, meaning the likelihood of exploitation is low. The vulnerability is not recorded in the CISA KEV catalog. Exploitation requires the attacker to trigger system.run with a specifically crafted sequence of wrappers; local or remote code execution depends on the target system’s exposure and the attacker’s ability to inject such calls. Based on the description, the attack vector is inferred to be a local or remote input that can invoke system.run, but the exact delivery method is not explicitly detailed in the advisory.

Generated by OpenCVE AI on March 24, 2026 at 22:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update OpenClaw to version 2026.3.7 or later

Generated by OpenCVE AI on March 24, 2026 at 22:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r6qf-8968-wj9q OpenClaw: system.run wrapper-depth boundary could skip shell approval gating
History

Wed, 25 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

Tue, 24 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*

Tue, 24 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Openclaw
Openclaw openclaw
Vendors & Products Openclaw
Openclaw openclaw

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description OpenClaw versions prior to 2026.3.7 contain a shell approval gating bypass vulnerability in system.run dispatch-wrapper handling that allows attackers to skip shell wrapper approval requirements. The approval classifier and execution planner apply different depth-boundary rules, permitting exactly four transparent dispatch wrappers like repeated env invocations before /bin/sh -c to bypass security=allowlist approval gating by misaligning classification with execution planning.
Title OpenClaw < 2026.3.7 - Shell Approval Gating Bypass via Dispatch Wrapper Depth Mismatch
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 4.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L'}

cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-25T14:39:07.993Z

Reserved: 2026-02-18T18:15:40.257Z

Link: CVE-2026-27183

cve-icon Vulnrichment

Updated: 2026-03-24T14:00:19.137Z

cve-icon NVD

Status : Modified

Published: 2026-03-23T22:16:25.443

Modified: 2026-03-25T15:16:38.777

Link: CVE-2026-27183

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:36:24Z

Weaknesses