CVE-2026-35666 Overview
CVE-2026-35666 is an authorization bypass vulnerability in OpenClaw, a Node.js package, that allows attackers to circumvent executable binding restrictions in the system.run approvals mechanism. The vulnerability exists because the approval verification process fails to properly unwrap /usr/bin/time wrappers, enabling malicious actors to reuse approval state for inner commands through unregistered time dispatch wrappers.
Critical Impact
Attackers can bypass allowlist-based security controls to execute arbitrary commands by exploiting improper handling of time wrapper utilities, potentially leading to unauthorized system access and command execution.
Affected Products
- OpenClaw versions prior to 2026.3.22
- OpenClaw Node.js package (all vulnerable versions)
- Systems using OpenClaw system.run approval mechanisms
Discovery Timeline
- 2026-04-10 - CVE CVE-2026-35666 published to NVD
- 2026-04-13 - Last updated in NVD database
Technical Details for CVE-2026-35666
Vulnerability Analysis
This vulnerability is classified under CWE-706 (Use of Incorrectly-Resolved Name or Reference), which describes flaws where software uses a name or reference to identify a resource but that name/reference can resolve to a different resource than intended. In the context of OpenClaw, the system.run approval mechanism maintains an allowlist of executable binaries that users are permitted to run. However, the validation logic does not properly account for command wrapper utilities like /usr/bin/time.
When a user wraps an approved command with the time utility, the approval verification system fails to properly unwrap and validate the inner command. This creates a gap where an attacker can craft a request using an unregistered time dispatch wrapper to execute commands that would otherwise be blocked by the allowlist restrictions. The approval state from a legitimate command can be reused to authorize the execution of arbitrary inner commands.
Root Cause
The root cause lies in the incomplete parsing of command structures within the system.run approval workflow. The allowlist validation examines the outermost command but does not recursively inspect commands passed as arguments to wrapper utilities. This design oversight allows the /usr/bin/time wrapper to act as a conduit for executing unapproved binaries, effectively nullifying the security boundary established by the allowlist mechanism.
Attack Vector
The attack is network-accessible and requires low privileges to execute. An attacker with valid credentials or existing access to the OpenClaw system can exploit this vulnerability by:
- Identifying an approved command in the allowlist
- Crafting a request that wraps an unapproved target command with /usr/bin/time or similar unregistered wrapper
- Submitting the wrapped command through the system.run interface
- The approval system validates only the outer time wrapper, allowing the inner command to execute with reused approval state
The vulnerability exploitation is straightforward once the attacker understands the allowlist bypass mechanism, as it does not require complex conditions or additional user interaction.
Detection Methods for CVE-2026-35666
Indicators of Compromise
- Unexpected command executions wrapped with /usr/bin/time or similar utilities in OpenClaw logs
- Anomalous system.run requests containing nested command structures
- Execution of commands that should be blocked by allowlist policies but are preceded by time wrapper invocations
- Unusual patterns of approval state reuse across disparate command types
Detection Strategies
- Monitor OpenClaw audit logs for system.run calls containing wrapper utilities like time, env, or similar command dispatch mechanisms
- Implement behavioral analysis to detect commands that deviate from normal allowlist patterns
- Deploy application-level monitoring to flag nested or wrapped command structures in approval requests
- Review authentication logs for accounts executing an unusual volume of wrapped commands
Monitoring Recommendations
- Enable verbose logging for the OpenClaw system.run module to capture full command strings including arguments
- Configure alerting for any command execution involving /usr/bin/time or other dispatch wrappers not explicitly in the allowlist
- Establish baseline behavioral profiles for legitimate system.run usage patterns to identify anomalies
- Integrate OpenClaw logs with SIEM solutions for centralized correlation and threat hunting
How to Mitigate CVE-2026-35666
Immediate Actions Required
- Upgrade OpenClaw to version 2026.3.22 or later immediately
- Audit recent system.run logs for any suspicious command wrapping patterns
- Review current allowlist configurations and tighten permissions where possible
- Consider temporarily disabling system.run functionality if upgrade cannot be immediately applied
Patch Information
The OpenClaw development team has released security patches addressing this vulnerability. Two commits have been published to remediate the allowlist bypass:
- GitHub Commit 39409b6 - Initial fix for time wrapper handling
- GitHub Commit 630f147 - Additional hardening for approval state validation
Organizations should update to OpenClaw 2026.3.22 or apply the referenced patches. For complete technical details, refer to the GitHub Security Advisory GHSA-qm9x-v7cx-7rq4 and the VulnCheck Advisory.
Workarounds
- Explicitly add all wrapper utilities (such as /usr/bin/time, /usr/bin/env) to a deny list in your security configuration
- Implement additional validation at the infrastructure level to inspect and reject commands with nested structures
- Deploy network segmentation to limit access to systems running vulnerable OpenClaw instances
- Use application firewall rules to inspect and block system.run requests containing known wrapper utility patterns
# Example: Restrict wrapper utilities in OpenClaw configuration
# Add to openclaw.config.js or environment configuration
# Deny common wrapper utilities
OPENCLAW_DENY_WRAPPERS="/usr/bin/time,/usr/bin/env,/bin/time"
# Enable strict command parsing
OPENCLAW_STRICT_PARSING=true
# Enable full command logging for audit
OPENCLAW_VERBOSE_LOGGING=true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
