CVE-2026-32010 in OpenClaw
Summary
by MITRE • 03/20/2026
OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in the safeBins configuration that allows attackers to invoke external helpers through the compress-program option. When sort is explicitly added to tools.exec.safeBins, remote attackers can bypass intended safe-bin approval constraints by leveraging the compress-program parameter to execute unauthorized external programs.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/15/2026
The vulnerability exists within the OpenClaw software ecosystem, specifically affecting versions prior to 2026.2.22, where a critical allowlist bypass mechanism has been identified in the safeBins configuration. This flaw represents a significant security weakness that undermines the intended protection measures designed to restrict execution of external helper programs. The vulnerability stems from improper validation of the compress-program option within the tools.exec.safeBins parameter, creating an unintended execution path that bypasses the configured security constraints. The issue manifests when the sort utility is explicitly included in the safeBins allowlist, which inadvertently provides attackers with a mechanism to invoke unauthorized external programs through the compress-program parameter.
This technical flaw operates at the intersection of command execution validation and configuration management, where the security model assumes that explicit inclusion of tools in safeBins provides comprehensive protection. However, the vulnerability demonstrates how parameter handling can be exploited to circumvent intended restrictions, creating a pathway for attackers to execute arbitrary code through seemingly benign configuration options. The flaw essentially allows attackers to leverage the legitimate sort utility as a proxy for executing unauthorized external programs, exploiting the compress-program parameter to extend beyond the originally intended safe execution boundaries. This represents a classic example of insufficient input validation and improper privilege separation, where the system fails to properly validate the context in which allowed tools are invoked.
The operational impact of this vulnerability extends beyond simple code execution, as it enables remote attackers to potentially escalate privileges and gain unauthorized access to system resources. Attackers can exploit this vulnerability to execute malicious payloads through the compress-program parameter, effectively bypassing the intended safe-bin constraints that should prevent execution of unauthorized external programs. The implications are particularly concerning because the vulnerability allows for remote exploitation without requiring local system access, making it a significant threat vector for attackers seeking to compromise OpenClaw environments. This vulnerability creates opportunities for data exfiltration, system compromise, and further lateral movement within affected networks, as the attacker can execute arbitrary commands through the established trust relationship with the sort utility.
Mitigation strategies should focus on implementing comprehensive parameter validation and restricting the execution of external programs through the compress-program option. Organizations should immediately update to OpenClaw version 2026.2.22 or later, which contains patches addressing this specific vulnerability. Additionally, security configurations should be reviewed to ensure that the safeBins parameter does not inadvertently allow execution of tools that could be used as proxies for unauthorized command execution. The implementation of principle of least privilege should be enforced, limiting the scope of tools permitted in safeBins to only those absolutely necessary for legitimate operations. Network segmentation and monitoring should be implemented to detect anomalous execution patterns that might indicate exploitation attempts. This vulnerability aligns with CWE-78 and CWE-798 categories, representing improper input validation and hard-coded credentials issues, respectively, and maps to ATT&CK techniques involving execution through valid operating system utilities and privilege escalation through command injection.