CVE-2026-29607 in OpenClaw
Summary
by MITRE • 03/19/2026
OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in allow-always wrapper persistence that allows attackers to bypass approval checks by persisting wrapper-level allowlist entries instead of validating inner executable intent. Remote attackers can approve benign wrapped system.run commands and subsequently execute different payloads without approval, enabling remote code execution on gateway and node-host execution flows.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/26/2026
The vulnerability identified as CVE-2026-29607 affects OpenClaw versions prior to 2026.2.22 and represents a critical authorization bypass flaw within the system's wrapper persistence mechanism. This vulnerability specifically targets the allow-always wrapper functionality that is designed to maintain persistent allowlist entries for system operations. The flaw resides in the authorization logic where the system fails to properly validate the intent of executables before granting persistent access, creating a fundamental security weakness in the access control model. The issue manifests when the system persists wrapper-level allowlist entries without adequately verifying the actual executable content or intent of the wrapped commands, allowing malicious actors to exploit this gap in validation.
The technical implementation of this vulnerability stems from improper validation controls within the wrapper persistence layer where the system assumes that if a wrapper entry exists in the allowlist, the associated executable must be benign. This assumption breaks down when attackers can manipulate the persistence mechanism to approve arbitrary system.run commands through the allow-always wrapper, effectively bypassing the normal approval checks that should validate the intent of each executable before granting execution privileges. The flaw operates at the intersection of inadequate input validation and flawed authorization logic, creating a path where remote attackers can manipulate the system's trust model to execute unauthorized code.
The operational impact of this vulnerability extends across multiple execution flows within the OpenClaw system architecture, particularly affecting both gateway and node-host execution environments. Attackers can leverage this vulnerability to approve seemingly legitimate system.run commands that are actually designed to execute malicious payloads, enabling remote code execution capabilities across the entire system infrastructure. The vulnerability affects the core authorization model of the system, potentially allowing attackers to escalate privileges and execute arbitrary code on both gateway systems and node hosts. This creates a significant risk for organizations relying on OpenClaw for system management and automation, as the compromise of any single system could potentially lead to broader network infiltration.
The security implications of this vulnerability align with CWE-862, which addresses insufficient authorization flaws in software systems, and can be mapped to ATT&CK technique T1059 for remote code execution and T1546 for persistence mechanisms. Organizations should immediately implement mitigations including updating to OpenClaw version 2026.2.22 or later, which contains the patched authorization validation logic. Additional defensive measures should include implementing strict validation of wrapper entries before persistence, monitoring for unauthorized allowlist modifications, and conducting comprehensive security audits of existing wrapper configurations. Network segmentation and least-privilege access controls should also be enforced to limit the potential impact of exploitation, while regular security assessments should verify that the authorization bypass vulnerability has been properly addressed through the applied patches.