CVE-2026-29607 Overview
OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in the allow-always wrapper persistence mechanism. This flaw allows attackers to bypass approval checks by persisting wrapper-level allowlist entries instead of validating inner executable intent. Remote attackers can exploit this by approving benign wrapped system.run commands and subsequently executing different payloads without approval, enabling remote code execution on gateway and node-host execution flows.
Critical Impact
This authorization bypass vulnerability enables remote code execution through manipulation of the allow-always wrapper persistence mechanism, allowing attackers to execute arbitrary payloads after initial approval of benign commands.
Affected Products
- OpenClaw versions prior to 2026.2.22
- OpenClaw for Node.js environments
- Gateway and node-host execution flow components
Discovery Timeline
- 2026-03-19 - CVE CVE-2026-29607 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2026-29607
Vulnerability Analysis
This vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), enabling command injection through an authorization bypass mechanism. The flaw exists in how OpenClaw handles allow-always wrapper persistence for command approval workflows.
The vulnerability allows network-based attackers with high privileges to bypass security controls when user interaction is present. The attack can result in complete compromise of confidentiality, integrity, and availability of the affected system. The vulnerability requires an active attack precondition and user action to successfully exploit.
Root Cause
The root cause stems from improper validation in the allow-always wrapper persistence logic. The system validates and persists approval at the wrapper level rather than validating the inner executable intent. This architectural flaw means that once a wrapper command is approved, the underlying payload can be swapped without triggering re-approval.
The security patch addresses this by introducing resolveCommandResolutionFromArgv to properly resolve and validate the actual command being executed within the wrapper context, ensuring that inner executable intent is validated against the allowlist.
Attack Vector
The attack is network-accessible and involves the following exploitation flow:
- Attacker initially submits a benign wrapped system.run command for approval
- Once approved, the wrapper-level entry persists in the allowlist
- Attacker subsequently replaces the inner payload with malicious commands
- The system executes the malicious payload without re-validation since the wrapper is already approved
- Remote code execution is achieved on gateway and node-host execution flows
The security patch in src/infra/exec-approvals-allowlist.ts introduces proper command resolution:
isWindowsPlatform,
matchAllowlist,
resolveAllowlistCandidatePath,
+ resolveCommandResolutionFromArgv,
splitCommandChain,
type ExecCommandAnalysis,
type CommandResolution,
Source: GitHub Commit Update
Detection Methods for CVE-2026-29607
Indicators of Compromise
- Unusual system.run command patterns in gateway or node-host execution logs
- Allowlist entries that show discrepancies between wrapper-level approvals and actual executed commands
- Evidence of command substitution within previously approved wrapper contexts
- Unexpected command execution following benign command approvals
Detection Strategies
- Monitor for sequential command executions where wrapper approval is followed by different inner payloads
- Implement logging to capture both wrapper-level and inner executable details for all system.run invocations
- Deploy behavioral analysis to detect anomalous command execution patterns post-approval
- Review allowlist persistence logs for entries that were approved but later used with different payloads
Monitoring Recommendations
- Enable verbose logging on gateway and node-host execution flows to capture full command context
- Implement real-time alerting for command executions that deviate from original approved intent
- Establish baseline behavior for system.run commands and alert on deviations
- Regularly audit the allow-always wrapper persistence allowlist for suspicious entries
How to Mitigate CVE-2026-29607
Immediate Actions Required
- Upgrade OpenClaw to version 2026.2.22 or later immediately
- Review existing allow-always wrapper allowlist entries for potentially compromised approvals
- Clear and rebuild allowlist entries after applying the security patch
- Monitor gateway and node-host execution flows for signs of exploitation
Patch Information
The vendor has released a security patch that addresses this vulnerability by introducing proper command resolution from argv. The fix ensures that inner executable intent is validated against the allowlist rather than just the wrapper-level command.
Patch details are available in the GitHub Commit. For comprehensive vulnerability information, refer to the GitHub Security Advisory and the VulnCheck Advisory.
Workarounds
- Disable the allow-always wrapper persistence feature until the patch can be applied
- Implement additional validation layers at the application level to verify inner executable intent
- Restrict network access to gateway and node-host execution flows to trusted sources only
- Require re-approval for all command executions as a temporary compensating control
# Configuration example - Disable allow-always persistence (temporary workaround)
# In OpenClaw configuration file
OPENCLAW_ALLOW_ALWAYS_PERSISTENCE=false
OPENCLAW_REQUIRE_REAPPROVAL=true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
