CVE-2026-31993 Overview
CVE-2026-31993 is an allowlist parsing mismatch vulnerability affecting OpenClaw versions prior to 2026.2.22. The vulnerability exists in the macOS companion app and allows authenticated operators with operator.write privileges to bypass exec approval checks. Attackers who have access to a paired macOS beta node can craft shell-chain payloads that pass incomplete allowlist validation, ultimately enabling arbitrary command execution on the paired host.
This authorization bypass vulnerability (CWE-184: Incomplete List of Disallowed Inputs) stems from improper validation logic in the exec allowlist matching functionality, creating a security gap that can be exploited by privileged users to execute unauthorized commands.
Critical Impact
Authenticated operators can bypass exec approval checks to execute arbitrary commands on paired macOS hosts, potentially compromising system integrity and enabling lateral movement within development environments.
Affected Products
- OpenClaw versions prior to 2026.2.22
- OpenClaw macOS companion app (Node.js platform)
- Systems with paired macOS beta nodes
Discovery Timeline
- 2026-03-19 - CVE-2026-31993 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2026-31993
Vulnerability Analysis
The vulnerability resides in the exec allowlist validation mechanism within the OpenClaw macOS companion application. The allowlist matching logic failed to properly evaluate shell-chain payloads, allowing commands that should have been blocked to pass validation and execute on paired hosts.
The core issue relates to how the application parsed and validated executable patterns against the allowlist. When processing commands containing path separators (/, ~, \), the original implementation had inconsistent matching behavior that could be exploited through carefully crafted shell-chain sequences. This incomplete validation allowed authenticated operators to construct payloads that appeared legitimate to the allowlist checker but actually contained unauthorized command sequences.
The vulnerability requires operator.write privileges and a paired macOS beta node, limiting the attack surface to authenticated users with elevated permissions. However, within that context, the impact is significant as it enables arbitrary command execution.
Root Cause
The root cause is CWE-184: Incomplete List of Disallowed Inputs. The exec allowlist matching functionality did not properly account for all possible shell-chain patterns that could bypass validation. The ExecAllowlistMatcher and ExecApprovalEvaluation components lacked consolidated logic for evaluating exec approval requests, leading to gaps in the validation chain.
The security patches introduce a new ExecAllowlistMatcher enum with proper pattern matching logic that correctly handles path-containing patterns versus executable name patterns:
+enum ExecAllowlistMatcher {
+ static func match(entries: [ExecAllowlistEntry], resolution: ExecCommandResolution?) -> ExecAllowlistEntry? {
+ guard let resolution, !entries.isEmpty else { return nil }
+ let rawExecutable = resolution.rawExecutable
+ let resolvedPath = resolution.resolvedPath
+ let executableName = resolution.executableName
+
+ for entry in entries {
+ let pattern = entry.pattern.trimmingCharacters(in: .whitespacesAndNewlines)
+ if pattern.isEmpty { continue }
+ let hasPath = pattern.contains("/") || pattern.contains("~") || pattern.contains("\\")
+ if hasPath {
+ let target = resolvedPath ?? rawExecutable
+ if self.matches(pattern: pattern, target: target) { return entry }
+ } else if self.matches(pattern: pattern, target: executableName) {
+ return entry
+ }
+ }
+ return nil
+ }
Source: GitHub Commit
Attack Vector
The attack vector is network-based and requires high privileges (operator.write) along with user interaction through a paired macOS beta node. An attacker with the necessary privileges can:
- Establish or utilize an existing connection to a paired macOS beta node
- Craft shell-chain payloads designed to exploit the incomplete allowlist validation
- Submit the malicious payload through normal exec approval channels
- Bypass the incomplete validation to execute arbitrary commands on the paired host
The consolidated exec approval evaluation introduced in the patch addresses this by properly normalizing agent IDs and resolving approvals:
+struct ExecApprovalEvaluation {
+ let command: [String]
+ let displayCommand: String
+ let agentId: String?
+ let security: ExecSecurity
+ let ask: ExecAsk
+ let env: [String: String]
+ let resolution: ExecCommandResolution?
+ let allowlistResolutions: [ExecCommandResolution]
+ let allowlistMatches: [ExecAllowlistEntry]
+ let allowlistSatisfied: Bool
+ let allowlistMatch: ExecAllowlistEntry?
+ let skillAllow: Bool
+}
Source: GitHub Commit
Detection Methods for CVE-2026-31993
Indicators of Compromise
- Unusual exec approval requests containing shell-chain patterns with multiple path separators or escape sequences
- Unexpected command executions on paired macOS hosts from authenticated operators
- Anomalous patterns in exec approval logs showing commands that bypass normal allowlist entries
- Unauthorized process spawning on macOS beta nodes following legitimate operator authentication
Detection Strategies
- Monitor exec approval logs for commands containing suspicious shell-chain patterns or unusual path combinations
- Implement behavioral analysis on paired macOS hosts to detect unexpected command execution following operator authentication
- Review operator audit logs for patterns of exec requests that should have been denied but were approved
- Deploy endpoint detection to identify unauthorized process execution on macOS beta nodes
Monitoring Recommendations
- Enable verbose logging for the OpenClaw macOS companion app exec approval system
- Configure alerts for exec requests from operators that contain shell metacharacters or chain operators
- Implement real-time monitoring of command execution on paired macOS beta nodes
- Establish baseline behavior for operator exec requests to identify anomalous patterns
How to Mitigate CVE-2026-31993
Immediate Actions Required
- Upgrade OpenClaw to version 2026.2.22 or later immediately
- Review exec approval logs for evidence of exploitation attempts prior to patching
- Audit operator accounts with operator.write privileges for unauthorized activity
- Temporarily restrict access to macOS beta node pairing functionality if patching cannot be immediately applied
Patch Information
OpenClaw has released security patches addressing this vulnerability. The fixes are available in version 2026.2.22 and later. Two commits address the vulnerability:
- Commit 5da03e6 - Hardens exec allowlist shell-chain checks
- Commit e371da3 - Consolidates exec approval evaluation
For complete details, refer to the GitHub Security Advisory GHSA-5f9p-f3w2-fwch.
Workarounds
- Restrict operator.write privileges to only essential personnel until patching is complete
- Disable or limit macOS beta node pairing functionality in production environments
- Implement additional network segmentation between OpenClaw management systems and paired macOS hosts
- Deploy additional monitoring on exec approval endpoints to detect and block suspicious shell-chain patterns
# Review current operator privileges and consider temporary restrictions
openclaw operators list --filter="privileges contains operator.write"
# Disable beta node pairing temporarily (if supported by your deployment)
openclaw config set macos.beta-pairing.enabled false
# Enable enhanced logging for exec approvals
openclaw config set logging.exec-approval.level verbose
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
