CVE-2026-32023 in OpenClaw
Summary
by MITRE • 03/20/2026
OpenClaw versions prior to 2026.2.24 contain an approval gating bypass vulnerability in system.run allowlist mode where nested transparent dispatch wrappers can suppress shell-wrapper detection. Attackers can exploit this by chaining multiple dispatch wrappers like /usr/bin/env to execute /bin/sh -c commands without triggering the expected approval prompt in allowlist plus ask=on-miss configurations.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/26/2026
The vulnerability identified as CVE-2026-32023 affects OpenClaw versions prior to 2026.2.24 and represents a critical approval gating bypass that undermines the security controls designed to prevent unauthorized command execution. This flaw specifically targets the system.run allowlist mode functionality where the system should enforce strict approval processes for command execution. The vulnerability operates through a sophisticated chaining mechanism that exploits the way the system handles nested transparent dispatch wrappers, effectively allowing attackers to circumvent the intended security controls. The core issue lies in how the system processes multiple layers of wrapper execution, where each wrapper in the chain can suppress detection mechanisms that would normally flag suspicious shell-wrapper behavior.
The technical implementation of this vulnerability stems from improper handling of nested dispatch operations within the allowlist enforcement framework. When attackers construct command chains using multiple transparent dispatch wrappers such as /usr/bin/env, the system fails to properly track or detect the cumulative effect of these nested operations. This creates a scenario where each individual wrapper appears benign and passes initial detection, but when combined through chaining, they form a complete execution path that bypasses the approval gating mechanism. The vulnerability specifically impacts systems configured with allowlist plus ask=on-miss settings, where the expectation is that any command not explicitly allowed would trigger an approval prompt. This bypass allows attackers to execute arbitrary shell commands through seemingly legitimate wrapper chains without triggering the expected security prompts.
The operational impact of this vulnerability extends beyond simple command execution, as it fundamentally compromises the integrity of the system's approval gating controls. Attackers can leverage this vulnerability to execute arbitrary shell commands with elevated privileges, potentially leading to complete system compromise. The chaining mechanism allows for complex attack vectors where multiple wrapper layers can be used to obscure the true intent of the command execution, making detection and prevention significantly more challenging. This vulnerability affects environments where strict command execution controls are essential, particularly in enterprise systems where privilege escalation and unauthorized access prevention are critical security requirements. The bypass capability undermines the fundamental security model of the system, as it allows attackers to circumvent the very controls designed to prevent unauthorized execution paths.
Mitigation strategies for this vulnerability should focus on immediate patching of affected OpenClaw versions to 2026.2.24 or later, which contains the necessary fixes for proper nested wrapper detection. Organizations should also implement additional monitoring and logging mechanisms to detect unusual chaining patterns in command execution, particularly around wrapper usage and transparent dispatch operations. The security configuration should be reviewed to ensure that allowlist plus ask=on-miss settings are properly enforced and that no additional bypass paths exist in the system. System administrators should consider implementing additional layers of command validation beyond the existing allowlist mechanisms, including behavioral analysis of command execution patterns and anomaly detection for wrapper chaining activities. This vulnerability aligns with CWE-345 Insufficient Verification of Data Authenticity and ATT&CK technique T1059 Command and Scripting Interpreter, specifically highlighting weaknesses in access control verification and command execution validation. Organizations should also consider implementing principle of least privilege controls and regular security audits to identify potential similar bypass mechanisms in other system components.