CVE-2026-35666
Allowlist Bypass in OpenClaw system.run Enables Execution Restriction Evasion
Publication date: 2026-04-10
Last updated on: 2026-04-13
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.3.22 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-706 | The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-35666 allows attackers to bypass executable binding restrictions in OpenClaw, enabling unauthorized execution of commands that should be restricted by the allowlist mechanism.
This unauthorized execution can lead to high impacts on confidentiality, integrity, and availability of systems, as indicated by the CVSS scores.
Such a vulnerability could potentially lead to violations of compliance requirements in standards like GDPR and HIPAA, which mandate strict controls over access to sensitive data and system integrity.
By allowing unauthorized command execution, the vulnerability undermines security controls that help ensure data protection and system reliability, which are critical for regulatory compliance.
Can you explain this vulnerability to me?
This vulnerability exists in OpenClaw versions before 2026.3.22 and involves an allowlist bypass in the system.run approvals mechanism. Specifically, the system fails to properly unwrap wrappers around the /usr/bin/time command. Attackers can exploit this by using an unregistered time wrapper to bypass executable binding restrictions, effectively reusing the approval state for inner commands that should not be allowed.
How can this vulnerability impact me? :
This vulnerability can allow attackers to bypass executable restrictions that are intended to limit what commands can be run. By exploiting the allowlist bypass, attackers with some privileges could execute unauthorized commands, potentially leading to elevated access or execution of harmful operations within the system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an allowlist bypass due to failure to unwrap the /usr/bin/time wrapper in OpenClaw. Detection involves verifying if commands wrapped by /usr/bin/time are being executed without proper authorization checks.
Since the vulnerability is related to command execution wrappers, you can monitor or audit command executions that involve the time command wrapping other executables.
- Use system auditing tools (e.g., auditd on Linux) to log executions of /usr/bin/time and inspect the inner commands being run.
- Check OpenClaw logs or approval states for commands that appear wrapped by time but bypass allowlist restrictions.
- No specific detection commands are provided in the resources, but monitoring for unusual usage of the time command wrapping other executables is recommended.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade OpenClaw to version 2026.3.22 or later, where the vulnerability has been fixed.
The fix involves properly unwrapping the /usr/bin/time command wrapper so that executable binding restrictions are correctly enforced.
- Update OpenClaw to version 2026.3.22 or newer.
- Apply patches from the commit 39409b6a6dd4239deea682e626bac9ba547bfb14 if upgrading is not immediately possible.
- Review and tighten allowlist policies to ensure that wrappers like time are accounted for in command execution approvals.