CVE-2026-35666
Received Received - Intake
Allowlist Bypass in OpenClaw system.run Enables Execution Restriction Evasion

Publication date: 2026-04-10

Last updated on: 2026-04-13

Assigner: VulnCheck

Description
OpenClaw before 2026.3.22 contains an allowlist bypass vulnerability in system.run approvals that fails to unwrap /usr/bin/time wrappers. Attackers can bypass executable binding restrictions by using an unregistered time wrapper to reuse approval state for inner commands.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-13
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35666
EUVD
EUVD-2026-21478
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.3.22 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-706 The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

CVE-2026-35666 allows attackers to bypass executable binding restrictions in OpenClaw, enabling unauthorized execution of commands that should be restricted by the allowlist mechanism.

This unauthorized execution can lead to high impacts on confidentiality, integrity, and availability of systems, as indicated by the CVSS scores.

Such a vulnerability could potentially lead to violations of compliance requirements in standards like GDPR and HIPAA, which mandate strict controls over access to sensitive data and system integrity.

By allowing unauthorized command execution, the vulnerability undermines security controls that help ensure data protection and system reliability, which are critical for regulatory compliance.

Detection Guidance

This vulnerability involves an allowlist bypass due to failure to unwrap the /usr/bin/time wrapper in OpenClaw. Detection involves verifying if commands wrapped by /usr/bin/time are being executed without proper authorization checks.

Since the vulnerability is related to command execution wrappers, you can monitor or audit command executions that involve the time command wrapping other executables.

  • Use system auditing tools (e.g., auditd on Linux) to log executions of /usr/bin/time and inspect the inner commands being run.
  • Check OpenClaw logs or approval states for commands that appear wrapped by time but bypass allowlist restrictions.
  • No specific detection commands are provided in the resources, but monitoring for unusual usage of the time command wrapping other executables is recommended.
Mitigation Strategies

The primary mitigation step is to upgrade OpenClaw to version 2026.3.22 or later, where the vulnerability has been fixed.

The fix involves properly unwrapping the /usr/bin/time command wrapper so that executable binding restrictions are correctly enforced.

  • Update OpenClaw to version 2026.3.22 or newer.
  • Apply patches from the commit 39409b6a6dd4239deea682e626bac9ba547bfb14 if upgrading is not immediately possible.
  • Review and tighten allowlist policies to ensure that wrappers like time are accounted for in command execution approvals.
Executive Summary

This vulnerability exists in OpenClaw versions before 2026.3.22 and involves an allowlist bypass in the system.run approvals mechanism. Specifically, the system fails to properly unwrap wrappers around the /usr/bin/time command. Attackers can exploit this by using an unregistered time wrapper to bypass executable binding restrictions, effectively reusing the approval state for inner commands that should not be allowed.

Impact Analysis

This vulnerability can allow attackers to bypass executable restrictions that are intended to limit what commands can be run. By exploiting the allowlist bypass, attackers with some privileges could execute unauthorized commands, potentially leading to elevated access or execution of harmful operations within the system.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35666. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart