CVE-2026-41380

OpenClaw before 2026.3.28 contains an execution approval vulnerability in exec-approvals-allowlist.ts that allows allow-always persistence to trust wrapper carrier executables instead of invoked targets. Attackers can exploit positional carrier executable routing through dispatch wrappers to...

CVE-2026-41380

OpenClaw vulnerable before 2026.3.28 via exec-approvals-allowlist.ts: an execution-approval weakness lets one-time allow-always entries persistently trust wrapper carrier executables routed through dispatch wrappers, broadening the allowlist and weakening execution boundaries. CVSS 3.1/4.0 indica...

PT-2026-35765

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.28 Description An execution approval issue exists in exec-approvals-allowlist.ts where allow-always persistence trusts wrapper carrier executables instead of the actual invoked targets. This allows attackers t...

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization due to over-trusting of positional carrier executables in the src/infra/exec-approvals-allowlist.ts process. An attacker can gain unauthorized access to privileged...

CVE-2026-27183

OpenClaw versions prior to 2026.3.7 contain a shell approval gating bypass vulnerability in system.run dispatch-wrapper handling that allows attackers to skip shell wrapper approval requirements. The approval classifier and execution planner apply different depth-boundary rules, permitting exactl...

CVE-2026-27183

OpenClaw vulnerable up to 2026.3.6. The issue lies in system.run dispatch-wrapper handling where the approval classifier and execution planner use different depth-boundary rules, allowing exactly four transparent dispatch wrappers before /bin/sh -c and bypassing the shell approval gating. This mi...

CVE-2026-32023

OpenClaw : vulnerable up to version 2026.2.23 due to an approval-gating bypass in system.run allowlist mode caused by a dispatch-wrapper depth-cap mismatch. Attackers could chain nested wrappers (e.g., /usr/bin/env) to execute /bin/sh -c commands without triggering the approval prompt. The issue ...

CVE-2026-32023 OpenClaw < 2026.2.24 - Approval Gating Bypass via Dispatch-Wrapper Depth-Cap Mismatch in system.run

OpenClaw versions prior to 2026.2.24 contain an approval gating bypass vulnerability in system.run allowlist mode where nested transparent dispatch wrappers can suppress shell-wrapper detection. Attackers can exploit this by chaining multiple dispatch wrappers like /usr/bin/env to execute /bin/sh...

CVE-2026-32023 OpenClaw < 2026.2.24 - Approval Gating Bypass via Dispatch-Wrapper Depth-Cap Mismatch in system.run

OpenClaw versions prior to 2026.2.24 contain an approval gating bypass vulnerability in system.run allowlist mode where nested transparent dispatch wrappers can suppress shell-wrapper detection. Attackers can exploit this by chaining multiple dispatch wrappers like /usr/bin/env to execute /bin/sh...

EUVD-2026-13294

OpenClaw versions prior to 2026.2.24 contain an approval gating bypass vulnerability in system.run allowlist mode where nested transparent dispatch wrappers can suppress shell-wrapper detection. Attackers can exploit this by chaining multiple dispatch wrappers like /usr/bin/env to execute /bin/sh...

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization in the system.run process when handling dispatch wrappers with exactly four transparent wrappers such as repeated env invocations before /bin/sh -c. An attacker ca...

PT-2026-27222

OpenClaw's system.run dispatch-wrapper handling applied different depth-boundary rules to shell-wrapper approval detection and execution planning. With exactly four transparent dispatch wrappers such as repeated env invocations before /bin/sh -c, the approval classifier could stop treating the...

OpenClaw's exec allowlist wrapper analysis did not unwrap env/shell dispatch chains

Summary system.run exec allowlist analysis treated wrapper binaries as the effective executable and did not fully unwrap env/shell-dispatch wrappers. This allowed wrapper-smuggled payloads for example env bash -lc ... to satisfy an allowlist entry for the wrapper while executing non-allowlisted...

PT-2026-26404

Summary A wrapper-depth parsing mismatch in system.run allowed nested transparent dispatch wrappers for example repeated /usr/bin/env to suppress shell-wrapper detection while still matching allowlist resolution. In security=allowlist + ask=on-miss, this could bypass the expected approval prompt...