Platform
python
Component
openclaw
Fixed in
2026.3.11
CVE-2026-32973 describes an exec allowlist bypass vulnerability discovered in OpenClaw. This flaw allows attackers to circumvent intended restrictions on command execution by exploiting improper pattern normalization within the matchesExecAllowlistPattern function. The vulnerability affects versions 0 through 2026.3.11 of OpenClaw and has been resolved in version 2026.3.11.
The impact of this vulnerability is severe. An attacker can leverage the improper wildcard matching to execute arbitrary commands or access files outside the intended scope of the allowlist. This could lead to complete system compromise, data exfiltration, or denial of service. The ? wildcard's behavior across path segments is exploited, allowing attackers to bypass security controls designed to restrict command execution to specific, safe paths. This bypass effectively grants the attacker the ability to execute commands with the privileges of the OpenClaw process, potentially escalating privileges and gaining control of the underlying system.
CVE-2026-32973 was publicly disclosed on 2026-03-29. The vulnerability's severity is rated CRITICAL (CVSS 9.8). Currently, there are no publicly available exploits, but the ease of exploitation due to the wildcard bypass suggests a high probability of exploitation if left unpatched. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.07% (23% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-32973 is to immediately upgrade OpenClaw to version 2026.3.11 or later. If upgrading is not immediately feasible, consider implementing stricter input validation and sanitization on any user-provided data used in command execution. While a direct workaround is unavailable, carefully review and restrict the paths and commands allowed by the exec allowlist. Monitor system logs for unusual command execution patterns, particularly those involving wildcard characters. After upgrading, confirm the fix by attempting to execute commands using patterns that previously bypassed the allowlist; these should now be blocked.
Update the OpenClaw library to version 2026.3.11 or later. This fixes the exec allowlist bypass vulnerability due to incorrect pattern normalization with wildcard matching in POSIX paths.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32973 is a critical vulnerability in OpenClaw where improper wildcard matching allows attackers to bypass the exec allowlist and potentially execute arbitrary commands.
You are affected if you are using OpenClaw versions 0 through 2026.3.11. Check your version and upgrade immediately.
Upgrade OpenClaw to version 2026.3.11 or later to resolve this vulnerability. If upgrading is not possible, implement stricter input validation.
While no public exploits are currently known, the ease of exploitation suggests a high probability of exploitation if left unpatched.
Refer to the official OpenClaw project website and security advisories for the latest information and updates regarding CVE-2026-32973.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.