Vulnerability Description
OpenClaw versions prior to 2026.2.22 contain an allowlist parsing mismatch vulnerability in the macOS companion app that allows authenticated operators to bypass exec approval checks. Attackers with operator.write privileges and a paired macOS beta node can craft shell-chain payloads that pass incomplete allowlist validation and execute arbitrary commands on the paired host.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openclaw | Openclaw | < 2026.2.22 |
Related Weaknesses (CWE)
References
- https://github.com/openclaw/openclaw/commit/5da03e622119fa012285cdb590fcf4264c96Patch
- https://github.com/openclaw/openclaw/commit/e371da38aab99521c4e076cd3d95fd775e00Patch
- https://github.com/openclaw/openclaw/security/advisories/GHSA-5f9p-f3w2-fwchMitigationVendor Advisory
- https://www.vulncheck.com/advisories/openclaw-allowlist-parsing-mismatch-in-systThird Party Advisory
FAQ
What is CVE-2026-31993?
CVE-2026-31993 is a vulnerability with a CVSS score of 4.8 (MEDIUM). OpenClaw versions prior to 2026.2.22 contain an allowlist parsing mismatch vulnerability in the macOS companion app that allows authenticated operators to bypass exec approval checks. Attackers with o...
How severe is CVE-2026-31993?
CVE-2026-31993 has been rated MEDIUM with a CVSS base score of 4.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-31993?
Check the references section above for vendor advisories and patch information. Affected products include: Openclaw Openclaw.