CVE-2026-32023

MEDIUM openclaw NVD

CVSS Score 5.9

Severity MEDIUM

Published Mar 19, 2026

Vendor openclaw

Description

OpenClaw versions prior to 2026.2.24 contain an approval gating bypass vulnerability in system.run allowlist mode where nested transparent dispatch wrappers can suppress shell-wrapper detection. Attackers can exploit this by chaining multiple dispatch wrappers like /usr/bin/env to execute /bin/sh -c commands without triggering the expected approval prompt in allowlist plus ask=on-miss configurations.

References

https://github.com/openclaw/openclaw/commit/57c9a18180c8b14885bbd95474cbb17ff2d03f0b
https://github.com/openclaw/openclaw/security/advisories/GHSA-ccg8-46r6-9qgj
https://www.vulncheck.com/advisories/openclaw-approval-gating-bypass-via-dispatch-wrapper-depth-cap-mismatch-in-system-run