Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-27183

CVE-2026-27183: Openclaw Auth Bypass Vulnerability

CVE-2026-27183 is an authentication bypass flaw in Openclaw that allows attackers to skip shell wrapper approval requirements through dispatch-wrapper handling. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-27183 Overview

CVE-2026-27183 is an authorization bypass vulnerability in OpenClaw, a Node.js application, affecting versions prior to 2026.3.7. The vulnerability exists in the system.run dispatch-wrapper handling mechanism, where attackers can bypass shell wrapper approval requirements due to a boundary drift issue between the approval classifier and execution planner components.

The root cause stems from different depth-boundary rules being applied by the approval classifier versus the execution planner. This misalignment permits exactly four transparent dispatch wrappers (such as repeated env invocations before /bin/sh -c) to bypass security=allowlist approval gating by creating a classification-execution planning discrepancy.

Critical Impact

Attackers can bypass shell approval gating controls to execute unauthorized shell commands by exploiting the depth boundary mismatch between classification and execution planning components.

Affected Products

  • OpenClaw versions prior to 2026.3.7
  • OpenClaw for Node.js (all platforms)

Discovery Timeline

  • 2026-03-23 - CVE-2026-27183 published to NVD
  • 2026-03-25 - Last updated in NVD database

Technical Details for CVE-2026-27183

Vulnerability Analysis

The vulnerability is classified under CWE-863 (Incorrect Authorization), indicating a fundamental flaw in how authorization decisions are made within the dispatch wrapper resolution system.

The core issue lies in the boundary condition check within the exec-wrapper-resolution.ts file. The approval classifier and execution planner components use inconsistent logic when evaluating the depth of dispatch wrappers. Specifically, the original code used a greater-than-or-equal (>=) comparison against MAX_DISPATCH_WRAPPER_DEPTH, while the execution planner used a strictly greater-than (>) comparison. This one-off error creates a window where wrappers at exactly the boundary depth are handled differently by each component.

When an attacker chains exactly four transparent dispatch wrappers (such as nested env commands) before a shell invocation like /bin/sh -c, the approval classifier may reject the wrapper at the boundary while the execution planner accepts it, or vice versa. This misalignment allows bypass of the security=allowlist approval gating mechanism.

Root Cause

The vulnerability originates from an off-by-one error in the depth boundary check within the isTransparentDispatchWrapper function in src/infra/exec-wrapper-resolution.ts. The original implementation used depth >= MAX_DISPATCH_WRAPPER_DEPTH which caused wrappers found exactly at the configured dispatch depth boundary to be excluded from approval classification, while the execution planner still processed them.

Attack Vector

This is a local attack vector vulnerability requiring the attacker to have local access to the system running OpenClaw. The attack involves:

  1. Crafting a command chain with exactly four transparent dispatch wrappers
  2. Appending a shell invocation (/bin/sh -c) after the wrapper chain
  3. The approval classifier fails to classify the final wrapper due to the boundary check
  4. The execution planner processes the command, bypassing the allowlist approval gate

The security patch corrects the boundary condition by changing the comparison operator:

typescript
   depth: number,
   envManipulationSeen: boolean,
 ): boolean {
-  if (depth >= MAX_DISPATCH_WRAPPER_DEPTH) {
+  // The wrapper found exactly at the configured dispatch depth boundary still needs
+  // to participate in approval classification; only paths beyond that boundary fail closed.
+  if (depth > MAX_DISPATCH_WRAPPER_DEPTH) {
     return false;
   }

Source: GitHub Commit Update

Detection Methods for CVE-2026-27183

Indicators of Compromise

  • Unusual shell command executions that bypass expected approval workflows
  • Command chains containing multiple nested env or similar transparent wrapper invocations
  • Execution logs showing shell commands (/bin/sh -c) preceded by exactly four wrapper calls
  • Approval system logs indicating classification failures for commands that were subsequently executed

Detection Strategies

  • Monitor for command execution patterns involving chained env commands followed by shell invocations
  • Implement logging at both the approval classifier and execution planner stages to detect classification-execution mismatches
  • Audit command execution logs for patterns where shell commands execute without corresponding approval entries
  • Deploy runtime application self-protection (RASP) to detect authorization bypass attempts

Monitoring Recommendations

  • Enable verbose logging for the system.run dispatch-wrapper handling subsystem
  • Create alerts for commands with four or more transparent dispatch wrappers in sequence
  • Correlate approval classifier decisions with execution planner actions to identify drift
  • Review application logs for CWE-863 related authorization inconsistencies

How to Mitigate CVE-2026-27183

Immediate Actions Required

  • Upgrade OpenClaw to version 2026.3.7 or later immediately
  • Review execution logs for any evidence of past exploitation attempts
  • Audit any commands that may have bypassed approval gating prior to patching
  • Temporarily increase monitoring on shell command executions until patch is deployed

Patch Information

The vulnerability has been addressed in OpenClaw version 2026.3.7. The fix modifies the boundary condition check in src/infra/exec-wrapper-resolution.ts to ensure wrappers at exactly the depth boundary participate in approval classification. The patch is available via the GitHub Commit Update.

For complete details, refer to the GitHub Security Advisory.

Workarounds

  • Reduce MAX_DISPATCH_WRAPPER_DEPTH configuration value to limit wrapper chaining
  • Implement additional authorization checks at the execution planner layer as defense-in-depth
  • Temporarily disable or restrict system.run functionality if not business-critical
  • Apply network segmentation to limit local access to systems running vulnerable OpenClaw versions
bash
# Configuration example - reduce wrapper depth limit as temporary mitigation
export OPENCLAW_MAX_DISPATCH_WRAPPER_DEPTH=2
# Restart OpenClaw service to apply configuration
systemctl restart openclaw

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne