CVE-2026-43530 Overview
CVE-2026-43530 is a weakened exec approval binding vulnerability in OpenClaw versions 2026.2.23 through 2026.4.12. The flaw resides in how OpenClaw evaluates busybox and toybox applet execution. These multi-call binaries dispatch to different applets based on argv[0] or the first argument, making it opaque which command will actually run. Attackers with low privileges can leverage this opacity to bypass exec approval controls and downgrade the risk classification of unsafe applet invocations. The issue is tracked under CWE-863: Incorrect Authorization.
Critical Impact
Attackers can bypass OpenClaw's exec approval mechanism by routing dangerous commands through busybox or toybox applets, defeating the integrity of command authorization decisions.
Affected Products
- OpenClaw 2026.2.23 through 2026.4.11
- OpenClaw distributed via Node.js package channel
- Deployments using busybox or toybox multi-call binaries as approved interpreters
Discovery Timeline
- 2026-05-05 - CVE-2026-43530 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-43530
Vulnerability Analysis
OpenClaw maintains a list of safe interpreter-like binaries used to validate child process execution. busybox and toybox were included in this safe set. Both are multi-call binaries: a single executable provides hundreds of applets such as sh, wget, nc, chmod, and mount. The applet dispatched depends on argv[0] or the first command-line argument rather than the binary path itself.
Because OpenClaw bound exec approval to the binary name, an attacker invoking busybox sh -c '<payload>' or busybox wget <url> could route arbitrary applet behavior through an approved binary. The approval logic could not see which applet would actually execute, weakening the binding between approval decisions and runtime behavior.
Root Cause
The root cause is an authorization decision based on insufficient context. Treating busybox and toybox as interpreter-like safe bins ignored their multi-call dispatch semantics. The approval engine inspected the executable path but not the resolved applet, allowing dangerous applets to inherit the trust of the wrapper binary.
Attack Vector
Exploitation requires low-privilege access to invoke commands through OpenClaw's execution layer. The attacker crafts an invocation that passes the approval gate by naming busybox or toybox, then selects an applet such as sh or nc to execute attacker-controlled logic. No user interaction is required, and the attack is reachable over the network.
// Patch from src/node-host/invoke-system-run-plan.ts
// fix(security): remove busybox/toybox from interpreter-like safe bins
"vite-node",
]);
+const OPAQUE_MUTABLE_SCRIPT_RUNNERS = new Set(["busybox", "toybox"]);
+
const BUN_SUBCOMMANDS = new Set([
"add",
"audit",
Source: GitHub commit 666f48d. The patch introduces an explicit OPAQUE_MUTABLE_SCRIPT_RUNNERS set, separating multi-call binaries from the interpreter safe list so approval decisions account for their dispatch behavior.
Detection Methods for CVE-2026-43530
Indicators of Compromise
- Process executions where the parent is the OpenClaw runtime and the child command line begins with busybox or toybox followed by a high-risk applet name such as sh, ash, wget, nc, or chmod.
- Audit log entries showing exec approval grants for busybox/toybox paired with arguments inconsistent with expected automation.
- Outbound network connections initiated by busybox/toybox child processes following an OpenClaw plan invocation.
Detection Strategies
- Hunt for OpenClaw child processes whose argv[0] or first argument resolves to a shell or networking applet within a multi-call binary.
- Correlate exec approval decisions with the actual resolved applet by parsing full command lines, not just binary paths.
- Flag any OpenClaw deployment running versions between 2026.2.23 and 2026.4.11 as exposed until upgraded.
Monitoring Recommendations
- Enable verbose audit logging in OpenClaw to capture full argument vectors for every approved exec call.
- Forward host process telemetry to a centralized log platform and alert on busybox/toybox invocations from service accounts.
- Baseline expected applet usage per environment so anomalous applet dispatch generates an alert.
How to Mitigate CVE-2026-43530
Immediate Actions Required
- Upgrade OpenClaw to version 2026.4.12 or later, which removes busybox and toybox from the interpreter-like safe bins.
- Inventory OpenClaw deployments and identify hosts where busybox or toybox is present on PATH.
- Review historical exec approval logs for prior invocations routed through busybox or toybox.
Patch Information
The fix is delivered in commit 666f48d9b882a8a1415ca53f9567c72499d850c9 and described in GHSA-2cq5-mf3v-mx44. Additional analysis is available in the VulnCheck advisory.
Workarounds
- Remove or rename busybox and toybox binaries on hosts running affected OpenClaw versions where operationally feasible.
- Restrict OpenClaw service accounts so they cannot resolve multi-call binaries on PATH.
- Add custom deny rules in the OpenClaw exec approval configuration that explicitly block busybox and toybox invocations.
# Verify installed OpenClaw version and patch status
npm ls openclaw
# Upgrade to the patched release
npm install openclaw@>=2026.4.12
# Optional hardening: prevent multi-call binary resolution for the service user
sudo chmod 750 /usr/bin/busybox /usr/bin/toybox 2>/dev/null || true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
