Vulnerability Description
OpenClaw versions prior to 2026.2.24 contain an approval gating bypass vulnerability in system.run allowlist mode where nested transparent dispatch wrappers can suppress shell-wrapper detection. Attackers can exploit this by chaining multiple dispatch wrappers like /usr/bin/env to execute /bin/sh -c commands without triggering the expected approval prompt in allowlist plus ask=on-miss configurations.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openclaw | Openclaw | < 2026.2.24 |
Related Weaknesses (CWE)
References
- https://github.com/openclaw/openclaw/commit/57c9a18180c8b14885bbd95474cbb17ff2d0Patch
- https://github.com/openclaw/openclaw/security/advisories/GHSA-ccg8-46r6-9qgjVendor Advisory
- https://www.vulncheck.com/advisories/openclaw-approval-gating-bypass-via-dispatcThird Party Advisory
FAQ
What is CVE-2026-32023?
CVE-2026-32023 is a vulnerability with a CVSS score of 7.1 (HIGH). OpenClaw versions prior to 2026.2.24 contain an approval gating bypass vulnerability in system.run allowlist mode where nested transparent dispatch wrappers can suppress shell-wrapper detection. Attac...
How severe is CVE-2026-32023?
CVE-2026-32023 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-32023?
Check the references section above for vendor advisories and patch information. Affected products include: Openclaw Openclaw.