OpenClaw Exec Allowlist Bypass via POSIX Path Overmatching (CVE-2026-32973)
OpenClaw before 2026.3.11 contains an exec allowlist bypass vulnerability (CVE-2026-32973) due to improper normalization of patterns, allowing attackers to execute unintended commands via wildcard matching in POSIX paths.
OpenClaw versions prior to 2026.3.11 are susceptible to an exec allowlist bypass vulnerability, identified as CVE-2026-32973. The vulnerability stems from the matchesExecAllowlistPattern function’s flawed normalization process, specifically its handling of lowercasing and glob matching. This leads to overmatching on POSIX paths, enabling attackers to circumvent intended restrictions. By leveraging the ‘?’ wildcard, attackers can match across path segments to execute commands or access paths…
Detection coverage 2
Detect OpenClaw Allowlist Bypass Attempt
highDetects attempts to bypass the OpenClaw exec allowlist by using wildcard characters in command execution.
Detect OpenClaw using Lowercase Bypass
mediumDetects potential bypass attempts leveraging lowercase normalization issues in OpenClaw's allowlist.
Detection queries are kept inside the platform. Get full rules →