Executive Summary

CVE-2026-31992 is an allowlist bypass vulnerability in OpenClaw versions prior to 2026.2.23 affecting the system.run guardrails. It allows authenticated operators to execute unintended commands by exploiting how the /usr/bin/env command is allowlisted.

Specifically, attackers can use the `env -S` option to bypass policy analysis because the allowlist treats this usage as allowed, but at runtime it executes shell wrapper payloads, which are normally restricted. This mismatch enables execution of commands that should be blocked.

The vulnerability arises from incomplete input filtering and protection mechanism failure, classified under CWE-184 and CWE-693, and has a CVSS v4 base score of 7.1, indicating a high impact on integrity with low attack complexity.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows authenticated operators to bypass execution guardrails designed to restrict command execution, potentially leading to unintended or unauthorized command execution within the OpenClaw environment.

Because the bypass exploits the allowlist system, it weakens safety controls that prevent misuse by trusted operators, which could be leveraged if untrusted input influences tool invocation.

The impact is primarily on the integrity of the system, as attackers can execute shell wrapper payloads that were meant to be blocked, possibly leading to unauthorized actions or compromise of system behavior.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "Detection of this vulnerability involves monitoring for usage of the `env -S` command pattern in contexts where OpenClaw's system.run guardrails are in use, as this is the bypass vector exploited."}, {'type': 'paragraph', 'content': 'Specifically, commands or scripts that invoke `/usr/bin/env` with the `-S` or `--split-string` option should be flagged, since this usage bypasses allowlist policy analysis and enables execution of unintended shell wrapper payloads.'}, {'type': 'paragraph', 'content': 'To detect potential exploitation attempts, you can search for processes or command invocations containing `env -S` or `env --split-string`.'}, {'type': 'list_item', 'content': "Use system process monitoring tools like `ps aux | grep 'env -S'` to identify running commands using the vulnerable pattern."}, {'type': 'list_item', 'content': 'Check shell history or audit logs for commands containing `env -S` or `env --split-string`.'}, {'type': 'list_item', 'content': 'Implement logging or alerting on execution of `/usr/bin/env` with the `-S` option within OpenClaw environments.'}] [1, 2, 3]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade OpenClaw to version 2026.2.23 or later, where this vulnerability has been patched.

The patch enforces strict canonical execution plans and blocks usage of the `env -S` or `env --split-string` options in allowlist mode, preventing the bypass.

Until the patch can be applied, consider restricting or monitoring the use of `/usr/bin/env` with the `-S` option by authenticated operators to reduce risk.

Additionally, review and harden allowlist policies and safe-bin configurations to reject unknown or ambiguous flags and ensure that only explicitly allowed commands are executable.

Useful 0 Not Useful 0