Description
OpenClaw versions prior to 2026.2.24 contain an approval gating bypass vulnerability in system.run allowlist mode where nested transparent dispatch wrappers can suppress shell-wrapper detection. Attackers can exploit this by chaining multiple dispatch wrappers like /usr/bin/env to execute /bin/sh -c commands without triggering the expected approval prompt in allowlist plus ask=on-miss configurations.
Published: 2026-03-19
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Command Execution via Approval Gating Bypass
Action: Patch Immediately
AI Analysis

Impact

OpenClaw versions prior to 2026.2.24 allow an attacker to bypass the approval gating in system.run allowlist mode. By chaining nested dispatch wrappers such as /usr/bin/env, the system can suppress shell-wrapper detection and execute /bin/sh -c commands without triggering the expected approval prompt. This represents a vulnerability in the command execution path, classified as CWE-863, that can lead to unauthorized code execution on the host system.

Affected Systems

All OpenClaw installations with a version earlier than 2026.2.24 are affected, irrespective of operating system or Node.js environment. The vulnerability is present in the OpenClaw product as indicated by the CPE string cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*.

Risk and Exploitability

The vulnerability has a CVSS score of 6, indicating a moderate severity. EPSS information is not provided, and the vulnerability is not listed in KEV, suggesting no known widespread exploitation. The attack vector is likely local or requires the ability to influence system.run calls; based on the description, exploitation likely requires local execution or privileged use of system.run, but the exact vector is not detailed in the provided data.

Generated by OpenCVE AI on March 19, 2026 at 23:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.2.24 or newer.
  • Verify that all system.run calls conform to the updated approval gating logic.
  • Consider disabling or restricting system.run usage if an upgrade is not immediately possible.

Generated by OpenCVE AI on March 19, 2026 at 23:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-ccg8-46r6-9qgj OpenClaw's dispatch-wrapper depth-cap mismatch can bypass shell-wrapper approval gating in system.run allowlist mode
History

Wed, 25 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L'}

Tue, 24 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenClaw versions prior to 2026.2.24 contain an approval gating bypass vulnerability in system.run allowlist mode where nested transparent dispatch wrappers can suppress shell-wrapper detection. Attackers can exploit this by chaining multiple dispatch wrappers like /usr/bin/env to execute /bin/sh -c commands without triggering the expected approval prompt in allowlist plus ask=on-miss configurations.
Title OpenClaw < 2026.2.24 - Approval Gating Bypass via Dispatch-Wrapper Depth-Cap Mismatch in system.run
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-863
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L'}

cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-25T14:28:35.875Z

Reserved: 2026-03-10T19:48:40.708Z

Link: CVE-2026-32023

cve-icon Vulnrichment

Updated: 2026-03-24T20:25:53.854Z

cve-icon NVD

Status : Modified

Published: 2026-03-19T22:16:36.520

Modified: 2026-03-25T15:16:45.217

Link: CVE-2026-32023

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T10:44:29Z

Weaknesses