Description
OpenClaw before 2026.3.11 contains an exec allowlist bypass vulnerability where matchesExecAllowlistPattern improperly normalizes patterns with lowercasing and glob matching that overmatches on POSIX paths. Attackers can exploit the ? wildcard matching across path segments to execute commands or paths not intended by operators.
Published: 2026-03-29
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Command Execution
Action: Immediate Patch
AI Analysis

Impact

OpenClaw before version 2026.3.11 contains an exec allowlist bypass vulnerability. The flaw occurs because the exec allowlist pattern matching normalizes patterns with lowercasing and glob matching, which over‑matches on POSIX paths. An attacker can use the '?' wildcard across path segments to trigger execution of commands or paths that were not intended to be executable. This issue is classified as CWE‑625 and can compromise confidentiality, integrity, and availability by enabling arbitrary command execution.

Affected Systems

The product affected is OpenClaw from the vendor OpenClaw. All releases prior to 2026.3.11 are vulnerable. Users should verify that their deployments are running a legacy version and plan an upgrade accordingly.

Risk and Exploitability

The CVSS score of 8.8 signals high severity; the EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, inferred from the ability to trigger the exec allowlist via external input. Attackers who can supply such input could execute arbitrary commands without local privileges, making this a critical concern for systems that expose OpenClaw over a network.

Generated by OpenCVE AI on March 29, 2026 at 14:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply an upgrade to OpenClaw version 2026.3.11 or later
  • Verify that the deployment is using the updated version

Generated by OpenCVE AI on March 29, 2026 at 14:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sun, 29 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.11 contains an exec allowlist bypass vulnerability where matchesExecAllowlistPattern improperly normalizes patterns with lowercasing and glob matching that overmatches on POSIX paths. Attackers can exploit the ? wildcard matching across path segments to execute commands or paths not intended by operators.
Title OpenClaw < 2026.3.11 - Exec Allowlist Pattern Overmatch via POSIX Path Normalization
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-625
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-30T14:12:38.296Z

Reserved: 2026-03-17T11:31:33.584Z

Link: CVE-2026-32973

cve-icon Vulnrichment

Updated: 2026-03-30T14:12:32.059Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-29T13:17:01.367

Modified: 2026-03-30T17:03:28.690

Link: CVE-2026-32973

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T06:58:20Z

Weaknesses