CVE-2026-32973
Received Received - Intake
Exec Allowlist Bypass in OpenClaw Enables Unauthorized Command Execution

Publication date: 2026-03-29

Last updated on: 2026-03-30

Assigner: VulnCheck

Description
OpenClaw before 2026.3.11 contains an exec allowlist bypass vulnerability where matchesExecAllowlistPattern improperly normalizes patterns with lowercasing and glob matching that overmatches on POSIX paths. Attackers can exploit the ? wildcard matching across path segments to execute commands or paths not intended by operators.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-29
Last Modified
2026-03-30
Generated
2026-06-16
AI Q&A
2026-03-29
EPSS Evaluated
2026-06-14
NVD
CVE-2026-32973
EUVD
EUVD-2026-17011
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.3.11 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-625 The product uses a regular expression that does not sufficiently restrict the set of allowed values.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-32973 is a critical vulnerability in OpenClaw versions before 2026.3.11 involving an exec allowlist bypass. The function matchesExecAllowlistPattern improperly normalizes patterns by lowercasing and using glob matching, which causes overmatching on POSIX paths.

Attackers can exploit the '?' wildcard character to match across path segments, allowing them to execute commands or access paths that operators did not intend to permit.

This flaw is related to CWE-625 (Permissive Regular Expression) and CWE-178 (Improper Handling of Case Sensitivity), resulting in unauthorized command execution due to overpermissive pattern matching in the allowlist mechanism.

The issue was fixed in OpenClaw version 2026.3.11 by correcting the pattern normalization to prevent overmatching.

Impact Analysis

This vulnerability can allow attackers to bypass the exec allowlist and execute unauthorized commands or access unintended paths on systems running vulnerable OpenClaw versions.

Because the pattern matching overmatches due to improper normalization, attackers can exploit wildcard characters to cross directory boundaries, potentially leading to unauthorized command execution.

Such unauthorized execution can compromise system integrity, lead to privilege escalation, or allow attackers to perform malicious actions that operators intended to block.

Mitigation Strategies

To mitigate the vulnerability in OpenClaw before version 2026.3.11, you should upgrade OpenClaw to version 2026.3.11 or later, where the exec allowlist pattern matching has been corrected to prevent overmatching and unauthorized command execution.

This update fixes the improper normalization of patterns by removing lowercasing and restricting wildcard matching so that it does not cross POSIX path segment boundaries.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32973. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart