CVE-2026-27183 Overview
CVE-2026-27183 is an authorization bypass vulnerability in OpenClaw, a Node.js application, affecting versions prior to 2026.3.7. The vulnerability exists in the system.run dispatch-wrapper handling mechanism, where attackers can bypass shell wrapper approval requirements due to a boundary drift issue between the approval classifier and execution planner components.
The root cause stems from different depth-boundary rules being applied by the approval classifier versus the execution planner. This misalignment permits exactly four transparent dispatch wrappers (such as repeated env invocations before /bin/sh -c) to bypass security=allowlist approval gating by creating a classification-execution planning discrepancy.
Critical Impact
Attackers can bypass shell approval gating controls to execute unauthorized shell commands by exploiting the depth boundary mismatch between classification and execution planning components.
Affected Products
- OpenClaw versions prior to 2026.3.7
- OpenClaw for Node.js (all platforms)
Discovery Timeline
- 2026-03-23 - CVE-2026-27183 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-27183
Vulnerability Analysis
The vulnerability is classified under CWE-863 (Incorrect Authorization), indicating a fundamental flaw in how authorization decisions are made within the dispatch wrapper resolution system.
The core issue lies in the boundary condition check within the exec-wrapper-resolution.ts file. The approval classifier and execution planner components use inconsistent logic when evaluating the depth of dispatch wrappers. Specifically, the original code used a greater-than-or-equal (>=) comparison against MAX_DISPATCH_WRAPPER_DEPTH, while the execution planner used a strictly greater-than (>) comparison. This one-off error creates a window where wrappers at exactly the boundary depth are handled differently by each component.
When an attacker chains exactly four transparent dispatch wrappers (such as nested env commands) before a shell invocation like /bin/sh -c, the approval classifier may reject the wrapper at the boundary while the execution planner accepts it, or vice versa. This misalignment allows bypass of the security=allowlist approval gating mechanism.
Root Cause
The vulnerability originates from an off-by-one error in the depth boundary check within the isTransparentDispatchWrapper function in src/infra/exec-wrapper-resolution.ts. The original implementation used depth >= MAX_DISPATCH_WRAPPER_DEPTH which caused wrappers found exactly at the configured dispatch depth boundary to be excluded from approval classification, while the execution planner still processed them.
Attack Vector
This is a local attack vector vulnerability requiring the attacker to have local access to the system running OpenClaw. The attack involves:
- Crafting a command chain with exactly four transparent dispatch wrappers
- Appending a shell invocation (/bin/sh -c) after the wrapper chain
- The approval classifier fails to classify the final wrapper due to the boundary check
- The execution planner processes the command, bypassing the allowlist approval gate
The security patch corrects the boundary condition by changing the comparison operator:
depth: number,
envManipulationSeen: boolean,
): boolean {
- if (depth >= MAX_DISPATCH_WRAPPER_DEPTH) {
+ // The wrapper found exactly at the configured dispatch depth boundary still needs
+ // to participate in approval classification; only paths beyond that boundary fail closed.
+ if (depth > MAX_DISPATCH_WRAPPER_DEPTH) {
return false;
}
Source: GitHub Commit Update
Detection Methods for CVE-2026-27183
Indicators of Compromise
- Unusual shell command executions that bypass expected approval workflows
- Command chains containing multiple nested env or similar transparent wrapper invocations
- Execution logs showing shell commands (/bin/sh -c) preceded by exactly four wrapper calls
- Approval system logs indicating classification failures for commands that were subsequently executed
Detection Strategies
- Monitor for command execution patterns involving chained env commands followed by shell invocations
- Implement logging at both the approval classifier and execution planner stages to detect classification-execution mismatches
- Audit command execution logs for patterns where shell commands execute without corresponding approval entries
- Deploy runtime application self-protection (RASP) to detect authorization bypass attempts
Monitoring Recommendations
- Enable verbose logging for the system.run dispatch-wrapper handling subsystem
- Create alerts for commands with four or more transparent dispatch wrappers in sequence
- Correlate approval classifier decisions with execution planner actions to identify drift
- Review application logs for CWE-863 related authorization inconsistencies
How to Mitigate CVE-2026-27183
Immediate Actions Required
- Upgrade OpenClaw to version 2026.3.7 or later immediately
- Review execution logs for any evidence of past exploitation attempts
- Audit any commands that may have bypassed approval gating prior to patching
- Temporarily increase monitoring on shell command executions until patch is deployed
Patch Information
The vulnerability has been addressed in OpenClaw version 2026.3.7. The fix modifies the boundary condition check in src/infra/exec-wrapper-resolution.ts to ensure wrappers at exactly the depth boundary participate in approval classification. The patch is available via the GitHub Commit Update.
For complete details, refer to the GitHub Security Advisory.
Workarounds
- Reduce MAX_DISPATCH_WRAPPER_DEPTH configuration value to limit wrapper chaining
- Implement additional authorization checks at the execution planner layer as defense-in-depth
- Temporarily disable or restrict system.run functionality if not business-critical
- Apply network segmentation to limit local access to systems running vulnerable OpenClaw versions
# Configuration example - reduce wrapper depth limit as temporary mitigation
export OPENCLAW_MAX_DISPATCH_WRAPPER_DEPTH=2
# Restart OpenClaw service to apply configuration
systemctl restart openclaw
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
