High severity7.3NVD Advisory· Published Apr 28, 2026· Updated May 1, 2026
CVE-2026-41380
CVE-2026-41380
Description
OpenClaw before 2026.3.28 contains an execution approval vulnerability in exec-approvals-allowlist.ts that allows allow-always persistence to trust wrapper carrier executables instead of invoked targets. Attackers can exploit positional carrier executable routing through dispatch wrappers to establish broader allowlist entries than intended, weakening execution approval boundaries.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openclawnpm | < 2026.3.28 | 2026.3.28 |
Affected products
1Patches
19ec44fad390fExec approvals: reject wrapper carrier allow-always targets (#55947)
2 files changed · +64 −0
src/infra/exec-approvals-allow-always.test.ts+56 −0 modified@@ -652,4 +652,60 @@ $0 \\"$1\\"" touch {marker}`, persistedPattern: benign, }); }); + + it("rejects positional carrier when carried executable is a dispatch wrapper", () => { + if (process.platform === "win32") { + return; + } + const dir = makeTempDir(); + makeExecutable(dir, "env"); + const env = makePathEnv(dir); + const safeBins = resolveSafeBins(undefined); + + const { persisted } = resolvePersistedPatterns({ + command: `sh -lc '$0 "$@"' env echo SAFE`, + dir, + env, + safeBins, + }); + expect(persisted).toEqual([]); + + const second = evaluateShellAllowlist({ + command: `sh -lc '$0 "$@"' env BASH_ENV=/tmp/payload.sh bash -lc 'id > /tmp/pwned'`, + allowlist: persisted.map((pattern) => ({ pattern })), + safeBins, + cwd: dir, + env, + platform: process.platform, + }); + expect(second.allowlistSatisfied).toBe(false); + }); + + it("rejects positional carrier when carried executable is a shell wrapper", () => { + if (process.platform === "win32") { + return; + } + const dir = makeTempDir(); + makeExecutable(dir, "bash"); + const env = makePathEnv(dir); + const safeBins = resolveSafeBins(undefined); + + const { persisted } = resolvePersistedPatterns({ + command: `sh -lc '$0 "$@"' bash -lc 'echo safe'`, + dir, + env, + safeBins, + }); + expect(persisted).toEqual([]); + + const second = evaluateShellAllowlist({ + command: `sh -lc '$0 "$@"' bash -lc 'id > /tmp/pwned'`, + allowlist: persisted.map((pattern) => ({ pattern })), + safeBins, + cwd: dir, + env, + platform: process.platform, + }); + expect(second.allowlistSatisfied).toBe(false); + }); });
src/infra/exec-approvals-allowlist.ts+8 −0 modified@@ -1,4 +1,5 @@ import path from "node:path"; +import { isDispatchWrapperExecutable } from "./dispatch-wrapper-resolution.js"; import { analyzeShellCommand, isWindowsPlatform, @@ -463,6 +464,13 @@ function resolveShellWrapperPositionalArgvCandidatePath(params: { return undefined; } + // Reject wrapper targets carried through `$0 "$@"` because their trailing argv can + // widen execution semantics beyond the original approved command. + const carriedName = normalizeExecutableToken(carriedExecutable); + if (isDispatchWrapperExecutable(carriedName) || isShellWrapperExecutable(carriedName)) { + return undefined; + } + const resolution = resolveCommandResolutionFromArgv([carriedExecutable], params.cwd, params.env); return resolveExecutionTargetCandidatePath(resolution, params.cwd); }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-p4x4-2r7f-wjxgghsaADVISORY
- github.com/openclaw/openclaw/security/advisories/GHSA-p4x4-2r7f-wjxgnvdVendor AdvisoryWEB
- www.vulncheck.com/advisories/openclaw-arbitrary-execution-allowlist-via-wrapper-carrier-executablesnvdThird Party Advisory
- github.com/openclaw/openclaw/commit/9ec44fad390f0bc1c29c3cc418b322560cb0222bghsaWEB
- github.com/openclaw/openclaw/releases/tag/v2026.3.28ghsaWEB
News mentions
0No linked articles in our index yet.