Vulnerability Description
OpenClaw versions prior to 2026.2.23 contain an allowlist bypass vulnerability in system.run guardrails that allows authenticated operators to execute unintended commands. When /usr/bin/env is allowlisted, attackers can use env -S to bypass policy analysis and execute shell wrapper payloads at runtime.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openclaw | Openclaw | < 2026.2.23 |
Related Weaknesses (CWE)
References
- https://github.com/openclaw/openclaw/commit/3f923e831364d83d0f23499ee49961de334cPatch
- https://github.com/openclaw/openclaw/commit/a1c4bf07c6baad3ef87a0e710fe9aef127b1Patch
- https://github.com/openclaw/openclaw/security/advisories/GHSA-48wf-g7cp-gr3mMitigationVendor Advisory
- https://www.vulncheck.com/advisories/openclaw-allowlist-exec-guard-bypass-via-enThird Party Advisory
FAQ
What is CVE-2026-31992?
CVE-2026-31992 is a vulnerability with a CVSS score of 7.1 (HIGH). OpenClaw versions prior to 2026.2.23 contain an allowlist bypass vulnerability in system.run guardrails that allows authenticated operators to execute unintended commands. When /usr/bin/env is allowli...
How severe is CVE-2026-31992?
CVE-2026-31992 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-31992?
Check the references section above for vendor advisories and patch information. Affected products include: Openclaw Openclaw.