CVE-2026-32973 Overview
OpenClaw before version 2026.3.11 contains an exec allowlist bypass vulnerability in the matchesExecAllowlistPattern function. The vulnerability stems from improper pattern normalization that combines lowercasing with glob matching, resulting in overmatch behavior on POSIX paths. Attackers can exploit the ? wildcard matching across path segments to execute commands or access paths not intended to be permitted by operators.
Critical Impact
This vulnerability allows attackers to bypass security controls designed to restrict command execution, potentially enabling unauthorized command execution on affected systems running OpenClaw versions prior to 2026.3.11.
Affected Products
- OpenClaw versions prior to 2026.3.11
- OpenClaw Node.js package (all affected versions)
Discovery Timeline
- 2026-03-29 - CVE-2026-32973 published to NVD
- 2026-03-30 - Last updated in NVD database
Technical Details for CVE-2026-32973
Vulnerability Analysis
The vulnerability resides in OpenClaw's exec allowlist pattern matching mechanism. The matchesExecAllowlistPattern function is intended to restrict which commands or paths can be executed within the OpenClaw environment. However, the implementation contains a critical flaw in how it normalizes and matches patterns against user-supplied input.
The issue arises from two combined behaviors: the function applies lowercasing to patterns during normalization, and the glob matching implementation incorrectly handles the ? wildcard character. On POSIX systems, the ? wildcard should match any single character except the path separator (/). However, the flawed implementation allows the ? wildcard to match across path segments, effectively permitting the wildcard to match the / character itself.
Root Cause
The root cause is classified under CWE-625 (Permissive Regular Expression). The pattern matching logic in matchesExecAllowlistPattern fails to properly constrain the ? glob wildcard to prevent it from matching path separators. When combined with the case normalization (lowercasing), this creates conditions where carefully crafted paths can match allowlist patterns in unintended ways, bypassing the intended security restrictions.
Attack Vector
The attack is network-accessible and does not require authentication or user interaction. An attacker can craft malicious path inputs that exploit the permissive glob matching to bypass allowlist restrictions. By leveraging the ? wildcard's ability to match path separators, attackers can construct paths that match allowlist patterns while actually pointing to unauthorized commands or file locations.
For example, if an allowlist pattern is configured to permit /app/bin/safe?cmd, an attacker might be able to match this pattern with paths like /app/bin/safe/malicious/cmd due to the ? wildcard incorrectly matching the / character and subsequent path components.
The vulnerability mechanism is detailed in the GitHub Security Advisory and the VulnCheck Advisory.
Detection Methods for CVE-2026-32973
Indicators of Compromise
- Unusual command execution patterns involving paths with unexpected directory traversal
- Log entries showing executed commands that should have been blocked by allowlist policies
- Attempted access to paths containing characters that would typically be filtered by glob patterns
Detection Strategies
- Monitor application logs for command execution events that do not match expected allowlist configurations
- Implement additional input validation layers that explicitly reject paths containing unexpected directory separators
- Deploy runtime application self-protection (RASP) solutions to detect allowlist bypass attempts
- Review audit logs for anomalous path patterns in exec calls
Monitoring Recommendations
- Enable verbose logging for the OpenClaw exec allowlist functionality to capture pattern matching decisions
- Set up alerts for command executions that originate from unexpected path patterns
- Implement file integrity monitoring on critical executables and scripts
- Monitor for privilege escalation attempts that may follow successful allowlist bypass
How to Mitigate CVE-2026-32973
Immediate Actions Required
- Upgrade OpenClaw to version 2026.3.11 or later immediately
- Review current exec allowlist configurations for overly permissive patterns
- Audit recent command execution logs for potential exploitation attempts
- Consider temporarily restricting exec functionality if upgrade is not immediately possible
Patch Information
OpenClaw has released version 2026.3.11 which addresses this vulnerability by correcting the glob matching behavior in matchesExecAllowlistPattern. The patch ensures that the ? wildcard character properly excludes path separator matching on POSIX systems. Detailed patch information is available in the GitHub Security Advisory.
Workarounds
- Avoid using the ? wildcard character in exec allowlist patterns until the system is patched
- Use explicit, fully-qualified paths in allowlist configurations instead of patterns with wildcards
- Implement additional input validation at the application layer to reject paths containing unexpected directory separators
- Consider using application-level sandboxing to limit the impact of potential bypass attacks
# Configuration example - Use explicit paths instead of wildcard patterns
# Before (vulnerable pattern):
# EXEC_ALLOWLIST="/app/bin/safe?cmd"
# After (explicit safe configuration):
EXEC_ALLOWLIST="/app/bin/safecmd,/app/bin/safe_cmd"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
