4 matches found
CVE-2026-41380
OpenClaw before 2026.3.28 contains an execution approval vulnerability in exec-approvals-allowlist.ts that allows allow-always persistence to trust wrapper carrier executables instead of invoked targets. Attackers can exploit positional carrier executable routing through dispatch wrappers to...
CVE-2026-41380 OpenClaw < 2026.3.28 - Arbitrary Execution Allowlist via Wrapper Carrier Executables
OpenClaw before 2026.3.28 contains an execution approval vulnerability in exec-approvals-allowlist.ts that allows allow-always persistence to trust wrapper carrier executables instead of invoked targets. Attackers can exploit positional carrier executable routing through dispatch wrappers to...
CVE-2026-41380
OpenClaw vulnerable before 2026.3.28 via exec-approvals-allowlist.ts: an execution-approval weakness lets one-time allow-always entries persistently trust wrapper carrier executables routed through dispatch wrappers, broadening the allowlist and weakening execution boundaries. CVSS 3.1/4.0 indica...
OpenClaw gateway exec allow-always over-trusts positional carrier executables
Summary Allow-always persistence could trust wrapper carrier executables instead of the actual invoked target when commands were routed through dispatch wrappers. Impact A one-time approval could persist a broader future allowlist entry than the operator intended, weakening execution approval...