HIGHCVE-2026-32973Published 2026-03-29Modified 2026-03-30CNA VulnCheck

CVE-2026-32973: OpenClaw < 2026.3.11 - Exec Allowlist Pattern Overmatch via POSIX Path Normalization

OpenClaw before 2026.3.11 contains an exec allowlist bypass vulnerability where matchesExecAllowlistPattern improperly normalizes patterns with lowercasing and glob matching that overmatches on POSIX paths. Attackers can exploit the ? wildcard matching across path segments to execute commands or paths not intended by operators.

CVSS v4.0: 8.8
Severity: HIGH
Fixed in: 2026.3.11
Affected Products: 1

Fix available

2026.3.11

Affected packages

OpenClaw / OpenClaw
< 2026.3.11 (from 0)
Fixed in 2026.3.11

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

References

GitHub Security Advisory (GHSA-f8r2-vg7x-gh8m)
VulnCheck Advisory: OpenClaw < 2026.3.11 - Exec Allowlist Pattern Overmatch via POSIX Path Normalization

Metrics

Fix available