CVE-2026-41390: OpenClaw Auth Bypass Vulnerability

CVE-2026-41390 Overview

CVE-2026-41390 is an authorization bypass vulnerability in OpenClaw before version 2026.3.28 that allows attackers to bypass the exec allowlist mechanism. The vulnerability exists in the allow-always persistence feature, which fails to properly unwrap /usr/bin/script and similar wrapper binaries before storing trust decisions. This flaw enables attackers to obtain user approval for one wrapped command and then exploit that trust decision to execute arbitrary underlying programs through the wrapper binaries.

Critical Impact

Attackers can leverage a single user-approved trust decision to execute unauthorized commands by abusing wrapper binaries that call different underlying programs, effectively bypassing the entire exec allowlist security mechanism.

Affected Products

• OpenClaw versions prior to 2026.3.28

Discovery Timeline

• 2026-04-28 - CVE-2026-41390 published to NVD
• 2026-04-28 - Last updated in NVD database

Technical Details for CVE-2026-41390

Vulnerability Analysis

This vulnerability falls under CWE-807 (Reliance on Untrusted Inputs in a Security Decision). The core issue lies in how OpenClaw's exec allowlist feature handles wrapper binaries when persisting trust decisions. When a user grants "allow-always" permission for a command executed through a wrapper like /usr/bin/script, the system stores the trust decision for the wrapper binary itself rather than the actual underlying command being executed.

The attack vector requires local access with low privileges and some user interaction to initially obtain approval. Once an attacker has trust established for a wrapper binary, they can leverage this to execute different programs through the same wrapper, effectively circumventing the security controls designed to restrict program execution.

Root Cause

The root cause is improper handling of wrapper binary trust relationships in OpenClaw's persistence mechanism. When processing allow-always decisions, the system fails to "unwrap" or resolve the actual executable being invoked through wrapper binaries such as /usr/bin/script. Instead of tracking trust at the underlying program level, the trust is incorrectly associated with the wrapper itself, creating a dangerous trust inheritance pattern.

Attack Vector

The attack requires local access to the target system. An attacker must first obtain user approval for a legitimate-appearing command that uses a wrapper binary. Once this trust is persisted, the attacker can abuse the wrapper binary to execute entirely different programs while inheriting the established trust decision. This transforms a single user approval into a broad execution capability that violates the intended security model of the exec allowlist feature.

The vulnerability mechanism works as follows: when /usr/bin/script is used to wrap a legitimate command and the user approves it with "allow-always," OpenClaw stores trust for the /usr/bin/script binary. Subsequently, any command executed through /usr/bin/script inherits this trust, regardless of whether the underlying program was ever approved by the user. For detailed technical analysis, refer to the GitHub Security Advisory.

Detection Methods for CVE-2026-41390

Indicators of Compromise

• Unexpected executions of wrapper binaries like /usr/bin/script with unusual or unauthorized child processes
• Abnormal patterns in OpenClaw trust decision logs showing wrapper binaries being approved followed by diverse underlying commands
• Execution of sensitive or suspicious programs through common wrapper utilities
• Multiple distinct commands executing under the same wrapper binary trust context

Detection Strategies

• Monitor process execution chains to identify wrapper binaries spawning unexpected child processes
• Audit OpenClaw configuration and trust persistence files for entries referencing known wrapper binaries
• Implement behavioral analysis to detect wrapper binary usage patterns inconsistent with normal user activity
• Cross-reference approved wrapper binaries against actual underlying command executions

Monitoring Recommendations

• Enable verbose logging for OpenClaw trust decisions and exec allowlist evaluations
• Deploy endpoint detection rules to flag wrapper binary executions that spawn high-risk processes
• Establish baseline patterns for legitimate wrapper binary usage to identify anomalous behavior
• Correlate trust approval events with subsequent command executions through wrapper utilities

How to Mitigate CVE-2026-41390

Immediate Actions Required

• Upgrade OpenClaw to version 2026.3.28 or later immediately
• Review and audit existing allow-always trust decisions for wrapper binaries such as /usr/bin/script
• Remove any persisted trust entries for wrapper binaries until the patch is applied
• Consider temporarily disabling the allow-always persistence feature if upgrading is not immediately possible

Patch Information

The vulnerability is addressed in OpenClaw version 2026.3.28. The fix implements proper unwrapping of wrapper binaries before storing trust decisions, ensuring that trust is associated with the actual underlying program rather than the wrapper itself. Users should upgrade to version 2026.3.28 or later to remediate this vulnerability. Refer to the VulnCheck Advisory for additional patch details.

Workarounds

• Manually audit and revoke allow-always trust decisions for common wrapper binaries including /usr/bin/script
• Configure OpenClaw to use per-session approvals instead of persistent allow-always decisions until patching is completed
• Restrict access to wrapper binaries using system-level file permissions where operationally feasible
• Implement additional application control policies to supplement OpenClaw's exec allowlist during the vulnerability window

# Review OpenClaw trust decisions for wrapper binaries
# Consult OpenClaw documentation for the appropriate configuration file location
# Remove or review entries associated with /usr/bin/script and similar wrappers
# Example: Audit trust configuration
grep -r "script" /path/to/openclaw/trust/config/