Executive Summary
A critical-severity exec allowlist bypass vulnerability (CVE-2026-32973, CVSS 9.8) has been disclosed in OpenClaw versions prior to 2026.3.11. The flaw resides in the matchesExecAllowlistPattern function, which uses lowercasing and glob matching to enforce which commands are permitted. Improper normalization allows an attacker to craft a path using the ? wildcard that ovematches across POSIX path segments, defeating the allowlist entirely and enabling arbitrary command execution.
CVSS Score: 9.8 (Critical)
Published to the NVD on March 29, 2026, this vulnerability presents a severe risk to any deployment relying on OpenClaw's exec allowlist as a security boundary.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-32973 |
| CVSS Score | 9.8 (Critical) |
| CWE | CWE-184: Incomplete List of Disallowed Inputs |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Vulnerable Component | matchesExecAllowlistPattern function |
| Root Cause | Glob ? wildcard ovematches across POSIX path separators |
Affected Products
| Vendor | Product | Affected Versions | Fixed Version |
|---|---|---|---|
| OpenClaw | OpenClaw | All versions before 2026.3.11 | 2026.3.11 |
Vulnerability Details
Glob Pattern Normalization Flaw
OpenClaw implements an exec allowlist to restrict which commands agents may run. The matchesExecAllowlistPattern function normalizes allowlist patterns using lowercasing before applying glob matching. The critical flaw is that the ? wildcard — intended to match exactly one character — is permitted to match the POSIX path separator /.
This means an allowlist entry such as:
/allowed/commands/*Can be bypassed with a crafted path like:
/bypassed?commands?maliciousBecause ? matches /, the normalization and glob matching incorrectly evaluates the crafted path as matching the allowlist pattern, permitting execution of commands that should be blocked.
Attack flow:
1. Attacker identifies a command outside the exec allowlist
2. Attacker constructs a path using ? in place of / separators
3. matchesExecAllowlistPattern lowercases and glob-matches the crafted path
4. The ? wildcard ovematches path separators, returning a false allowlist match
5. OpenClaw executes the disallowed command, bypassing the security boundaryImpact of Successful Exploitation
A successful exploit gives the attacker the ability to execute arbitrary commands that should have been blocked by the allowlist, including:
- Escape agent sandboxes — execute OS-level commands outside sanctioned paths
- Access sensitive data — read files, credentials, or secrets accessible from the agent runtime
- Establish persistence — plant backdoors or modify configuration outside allowlisted paths
- Lateral movement — exploit agent-level network access to pivot to internal services
- Full system compromise — depending on the privilege level of the OpenClaw agent process
The CVSS score of 9.8 reflects zero authentication requirement, low complexity, network accessibility, and full impact on confidentiality, integrity, and availability.
Deployment Context and Risk
OpenClaw is an AI agent orchestration platform used in automated pipeline and enterprise workflow environments. The exec allowlist is a core security boundary ensuring agents can only run sanctioned commands.
| Deployment Context | Risk Level | Notes |
|---|---|---|
| Internet-exposed agent endpoints | Critical | Remote exploitation with no authentication |
| Internal pipeline infrastructure | Critical | Any attacker who can send agent requests |
| Multi-tenant agent platforms | Critical | Cross-tenant command execution possible |
| CI/CD environments | Critical | Build pipeline compromise and secret exfiltration |
Recommended Mitigations
1. Upgrade Immediately
# Upgrade OpenClaw to 2026.3.11 or later
# The fix corrects glob pattern normalization to prevent ? from matching /Upgrade to OpenClaw 2026.3.11 which patches matchesExecAllowlistPattern to prevent the ? wildcard from matching the POSIX path separator /.
2. Restrict Exec Allowlist Surface
While patching, review and tighten your exec allowlist entries:
- Remove any overly broad wildcard patterns
- Use absolute paths in allowlist entries where possible
- Validate that no allowlist entry can be satisfied by path manipulation
3. Restrict Agent Network Exposure
# Limit which services can submit exec requests to OpenClaw agents
# Block direct internet access to agent endpoints
iptables -I INPUT -p tcp --dport <AGENT_PORT> -s <TRUSTED_CIDR> -j ACCEPT
iptables -I INPUT -p tcp --dport <AGENT_PORT> -j DROP4. Monitor for Exploitation Indicators
| Indicator | Description |
|---|---|
| Commands executing outside expected paths | Allowlist bypass successful |
| Unexpected process spawns from the agent runtime | Post-exploitation activity |
| Anomalous network connections from agent processes | Data exfiltration or C2 |
Allowlist pattern match logs showing / in ? positions | Active exploitation attempt |
Post-Remediation Checklist
- Verify patch applied — confirm OpenClaw version is 2026.3.11 or later
- Audit exec allowlist patterns — review all patterns for overly broad glob usage
- Review agent execution logs — check for commands executed outside expected paths prior to patching
- Rotate secrets — if exploitation occurred, rotate all secrets accessible from the agent runtime
- Audit downstream systems — check systems the agent had network access to for signs of lateral movement