CVE-2026-32973
published 2026-03-29CVE-2026-32973: OpenClaw before 2026.3.11 contains an exec allowlist bypass vulnerability where matchesExecAllowlistPattern improperly normalizes patterns with lowercasing and…
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.41%
32.4th percentile
OpenClaw before 2026.3.11 contains an exec allowlist bypass vulnerability where matchesExecAllowlistPattern improperly normalizes patterns with lowercasing and glob matching that overmatches on POSIX paths. Attackers can exploit the ? wildcard matching across path segments to execute commands or paths not intended by operators.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| openclaw | openclaw | < 2026.3.11 | 2026.3.11 |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for exploitation of the `matchesExecAllowlistPattern` function in OpenClaw where `?` wildcard characters are used to match across POSIX path separators (`/`), allowing bypass of exec allowlist patterns via glob overmatching. ↗
- →Monitor for execution of commands or binaries on POSIX systems where the resolved path would not be expected to match the configured allowlist pattern, particularly where lowercasing normalization is applied before glob matching in OpenClaw versions before 2026.3.11. ↗
- ·The vulnerability affects OpenClaw (formerly known as Moltbot or Clawdbot) versions before 2026.3.11. Operators should verify their installed version and upgrade to 2026.3.11 or later. Homebrew and MinimOS fixes were added April 2 and April 5, 2026 respectively. ↗
- ·Exec allowlist patterns in OpenClaw configurations that rely on glob patterns (especially those using `?`) on POSIX paths may be bypassable. Review and tighten allowlist patterns to avoid reliance on `?` wildcards spanning path segments. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.8HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
2026-03-29
Published