CVE-2026-32973 | OpenClaw before 2026.3.11 contains an exec allowlist bypass … | CVSS 9.8 CRITICAL

Description

OpenClaw before 2026.3.11 contains an exec allowlist bypass vulnerability where matchesExecAllowlistPattern improperly normalizes patterns with lowercasing and glob matching that overmatches on POSIX paths. Attackers can exploit the ? wildcard matching across path segments to execute commands or paths not intended by operators.

Metadata

CVE ID: CVE-2026-32973
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-03-17 11:31 UTC
Published: 2026-03-29 12:44 UTC
Last updated: 2026-03-30 14:12 UTC
Primary CWE: CWE-625
Permissive Regular Expression
Vendor / Product: OpenClaw / OpenClaw
Sources: cve.org · NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
OpenClaw	OpenClaw	—	0 < 2026.3.11, 2026.3.11

Weakness (CWE)

CWE	Source	Description
CWE-625	cna	Permissive Regular Expression

CVSS scores (2)

Score	Severity	Version	Source	Vector
9.8	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.8	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

References (2)

GitHub Security Advisory (GHSA-f8r2-vg7x-gh8m) https://github.com/openclaw/openclaw/security/advisories/GHSA-f8r2-vg7x-gh8m
VulnCheck Advisory: OpenClaw < 2026.3.11 - Exec Allowlist Pattern Overmatch via POSIX Path Normalization https://www.vulncheck.com/advisories/openclaw-exec-allowlist-pattern-overmatch-via-posix-path-normalization