CVE-2026-41392

MEDIUM NVD

CVSS Score 6.7

Severity MEDIUM

Published Apr 28, 2026

Vendor unknown

Description

OpenClaw before 2026.3.31 contains an exec allowlist bypass vulnerability allowing attackers to inherit allowlist trust via shell init-file wrapper invocations. Attackers can exploit shell options like --rcfile, --init-file, and --startup-file to load attacker-chosen initialization files while bypassing exec allowlist matching restrictions.

References

https://github.com/openclaw/openclaw/commit/0c8375424620e12777ef24c162eedc7e9fcfd7e3
https://github.com/openclaw/openclaw/security/advisories/GHSA-wpc6-37g7-8q4w
https://www.vulncheck.com/advisories/openclaw-exec-allowlist-bypass-via-shell-init-file-options