Description
OpenClaw version 2026.2.22-2 prior to 2026.2.23 tools.exec.safeBins validation for sort command fails to properly validate GNU long-option abbreviations, allowing attackers to bypass denied-flag checks via abbreviated options. Remote attackers can execute sort commands with abbreviated long options to skip approval requirements in allowlist mode.
Published: 2026-03-11
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Command Allowlist Bypass
Action: Patch
AI Analysis

Impact

OpenClaw versions prior to 2026.2.23 contain a flaw in the tools.exec.safeBins component where the validation of the GNU sort command fails to enforce deny‑flag checks for long‑option abbreviations. Attackers can supply abbreviated long options to the sort command, allowing them to bypass the allowlist enforcement and execute sort commands that would otherwise be denied. The weakness is a command‑validation issue classified as CWE‑863.

Affected Systems

The affected product is OpenClaw (openclaw:openclaw) running any version with the release identifier 2026.2.22‑2 or earlier, up to but not including 2026.2.23. The CPE entries include the core OpenClaw component and a node.js component; the vulnerability is specific to the OpenClaw application itself.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity, and the EPSS score of less than 1 % suggests that exploitation is currently uncommon. The vulnerability is not listed in the CISA KEV catalog. The CVE description states that remote attackers can execute sort commands with abbreviated long options, so it is inferred that the attack vector is remote via a network‑accessible interface that accepts sort commands. No other prerequisites or specific conditions are described beyond the presence of the allowlist mechanism.

Generated by OpenCVE AI on March 17, 2026 at 17:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update OpenClaw to version 2026.2.23 or later, which includes the fix for the sort option validation.
  • If an upgrade is not immediately possible, disable the sort command or remove it from the allowlisted commands in the configuration to prevent the bypass.

Generated by OpenCVE AI on March 17, 2026 at 17:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3c6h-g97w-fg78 OpenClaw's tools.exec.safeBins sort long-option abbreviation bypass can skip exec approval in allowlist mode
History

Mon, 16 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*

Wed, 11 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
Description OpenClaw version 2026.2.22-2 prior to 2026.2.23 tools.exec.safeBins validation for sort command fails to properly validate GNU long-option abbreviations, allowing attackers to bypass denied-flag checks via abbreviated options. Remote attackers can execute sort commands with abbreviated long options to skip approval requirements in allowlist mode.
Title OpenClaw 2026.2.22-2 < 2026.2.23 - Allowlist Bypass via sort Long-Option Abbreviation in tools.exec.safeBins
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-863
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*
cpe:2.3:a:openclaw:openclaw:2026.2.23:*:*:*:*:*:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-11T14:43:34.408Z

Reserved: 2026-03-10T19:51:53.605Z

Link: CVE-2026-32059

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T14:16:27.743

Modified: 2026-03-16T17:38:55.480

Link: CVE-2026-32059

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:37:17Z

Weaknesses