CVE-2026-32973

Summary

OpenClaw before 2026.3.11 contains an exec allowlist bypass vulnerability where matchesExecAllowlistPattern improperly normalizes patterns with lowercasing and glob matching that overmatches on POSIX paths. Attackers can exploit the ? wildcard matching across path segments to execute commands or paths not intended by operators.

Affected Software

VendorProductVersion RangeStatus
OpenClawOpenClaw0 < 2026.3.11affected
OpenClawOpenClaw2026.3.11unaffected

Weaknesses

  • CWE-625: Permissive Regular Expression

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References