CVE-2026-31992
Allowlist Bypass in OpenClaw system.run Enables Command Execution
Publication date: 2026-03-19
Last updated on: 2026-03-19
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.2.23 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-184 | The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-31992 is an allowlist bypass vulnerability in OpenClaw versions prior to 2026.2.23 affecting the system.run guardrails. It allows authenticated operators to execute unintended commands by exploiting how the /usr/bin/env command is allowlisted.
Specifically, attackers can use the `env -S` option to bypass policy analysis because the allowlist treats this usage as allowed, but at runtime it executes shell wrapper payloads, which are normally restricted. This mismatch enables execution of commands that should be blocked.
The vulnerability arises from incomplete input filtering and protection mechanism failure, classified under CWE-184 and CWE-693, and has a CVSS v4 base score of 7.1, indicating a high impact on integrity with low attack complexity.
How can this vulnerability impact me? :
This vulnerability allows authenticated operators to bypass execution guardrails designed to restrict command execution, potentially leading to unintended or unauthorized command execution within the OpenClaw environment.
Because the bypass exploits the allowlist system, it weakens safety controls that prevent misuse by trusted operators, which could be leveraged if untrusted input influences tool invocation.
The impact is primarily on the integrity of the system, as attackers can execute shell wrapper payloads that were meant to be blocked, possibly leading to unauthorized actions or compromise of system behavior.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "Detection of this vulnerability involves monitoring for usage of the `env -S` command pattern in contexts where OpenClaw's system.run guardrails are in use, as this is the bypass vector exploited."}, {'type': 'paragraph', 'content': 'Specifically, commands or scripts that invoke `/usr/bin/env` with the `-S` or `--split-string` option should be flagged, since this usage bypasses allowlist policy analysis and enables execution of unintended shell wrapper payloads.'}, {'type': 'paragraph', 'content': 'To detect potential exploitation attempts, you can search for processes or command invocations containing `env -S` or `env --split-string`.'}, {'type': 'list_item', 'content': "Use system process monitoring tools like `ps aux | grep 'env -S'` to identify running commands using the vulnerable pattern."}, {'type': 'list_item', 'content': 'Check shell history or audit logs for commands containing `env -S` or `env --split-string`.'}, {'type': 'list_item', 'content': 'Implement logging or alerting on execution of `/usr/bin/env` with the `-S` option within OpenClaw environments.'}] [1, 2, 3]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade OpenClaw to version 2026.2.23 or later, where this vulnerability has been patched.
The patch enforces strict canonical execution plans and blocks usage of the `env -S` or `env --split-string` options in allowlist mode, preventing the bypass.
Until the patch can be applied, consider restricting or monitoring the use of `/usr/bin/env` with the `-S` option by authenticated operators to reduce risk.
Additionally, review and harden allowlist policies and safe-bin configurations to reject unknown or ambiguous flags and ensure that only explicitly allowed commands are executable.