Medium severity6.7NVD Advisory· Published Apr 28, 2026· Updated Apr 30, 2026

CVE-2026-41392

Description

OpenClaw before 2026.3.31 contains an exec allowlist bypass vulnerability allowing attackers to inherit allowlist trust via shell init-file wrapper invocations. Attackers can exploit shell options like --rcfile, --init-file, and --startup-file to load attacker-chosen initialization files while bypassing exec allowlist matching restrictions.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
openclawnpm	< 2026.3.31	2026.3.31

Affected products

OpenClaw/Openclaw
cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Range: <2026.3.31

Patches

0c8375424620

Exec approvals: reject shell init-file script matches (#58369)

https://github.com/openclaw/openclawJacob TomlinsonMar 31, 2026via ghsa

commit

2 files changed · +63 −7

src/infra/exec-approvals-allow-always.test.ts+50 −0 modified

@@ -120,6 +120,30 @@ describe("resolveAllowAlwaysPatterns", () => {
     expect(second.allowlistSatisfied).toBe(true);
   }
 
+  function expectShellScriptFallbackRejected(command: string) {
+    const { dir, scriptsDir, script, env, safeBins } = createShellScriptFixture();
+    const rcFile = path.join(scriptsDir, "evilrc");
+    fs.writeFileSync(rcFile, "echo blocked\n");
+
+    const { persisted } = resolvePersistedPatterns({
+      command,
+      dir,
+      env,
+      safeBins,
+    });
+    expect(persisted).toEqual([]);
+
+    const second = evaluateShellAllowlist({
+      command,
+      allowlist: [{ pattern: script }],
+      safeBins,
+      cwd: dir,
+      env,
+      platform: process.platform,
+    });
+    expect(second.allowlistSatisfied).toBe(false);
+  }
+
   function expectPositionalArgvCarrierRejected(command: string) {
     const dir = makeTempDir();
     const touch = makeExecutable(dir, "touch");
@@ -283,6 +307,32 @@ describe("resolveAllowAlwaysPatterns", () => {
     });
   });
 
+  it("rejects shell rc and init-file options as persisted or allowlisted script paths", () => {
+    if (process.platform === "win32") {
+      return;
+    }
+    for (const command of [
+      "bash --rcfile scripts/evilrc scripts/save_crystal.sh",
+      "bash --init-file scripts/evilrc scripts/save_crystal.sh",
+      "bash --startup-file scripts/evilrc scripts/save_crystal.sh",
+    ]) {
+      expectShellScriptFallbackRejected(command);
+    }
+  });
+
+  it("rejects shell rc and init-file equals options as persisted or allowlisted script paths", () => {
+    if (process.platform === "win32") {
+      return;
+    }
+    for (const command of [
+      "bash --rcfile=scripts/evilrc scripts/save_crystal.sh",
+      "bash --init-file=scripts/evilrc scripts/save_crystal.sh",
+      "bash --startup-file=scripts/evilrc scripts/save_crystal.sh",
+    ]) {
+      expectShellScriptFallbackRejected(command);
+    }
+  });
+
   it("rejects shell-wrapper positional argv carriers", () => {
     if (process.platform === "win32") {
       return;

src/infra/exec-approvals-allowlist.ts+13 −7 modified

@@ -504,16 +504,19 @@ function isShellWrapperSegment(segment: ExecCommandSegment): boolean {
   return hasSegmentExecutableMatch(segment, isShellWrapperExecutable);
 }
 
-const SHELL_WRAPPER_OPTIONS_WITH_VALUE = new Set([
-  "-c",
-  "--command",
-  "-o",
-  "-O",
-  "+O",
+const SHELL_WRAPPER_OPTIONS_WITH_VALUE = new Set(["-c", "--command", "-o", "-O", "+O"]);
+
+const SHELL_WRAPPER_DISQUALIFYING_SCRIPT_OPTIONS = [
   "--rcfile",
   "--init-file",
   "--startup-file",
-]);
+] as const;
+
+function hasDisqualifyingShellWrapperScriptOption(token: string): boolean {
+  return SHELL_WRAPPER_DISQUALIFYING_SCRIPT_OPTIONS.some(
+    (option) => token === option || token.startsWith(`${option}=`),
+  );
+}
 
 function resolveShellWrapperScriptCandidatePath(params: {
   segment: ExecCommandSegment;
@@ -548,6 +551,9 @@ function resolveShellWrapperScriptCandidatePath(params: {
     if (token === "-s" || /^-[^-]*s[^-]*$/i.test(token)) {
       return undefined;
     }
+    if (hasDisqualifyingShellWrapperScriptOption(token)) {
+      return undefined;
+    }
     if (SHELL_WRAPPER_OPTIONS_WITH_VALUE.has(token)) {
       idx += 2;
       continue;

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/openclaw/openclaw/commit/0c8375424620e12777ef24c162eedc7e9fcfd7e3nvdPatchWEB
github.com/advisories/GHSA-wpc6-37g7-8q4wghsaADVISORY
github.com/openclaw/openclaw/security/advisories/GHSA-wpc6-37g7-8q4wnvdVendor AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2026-41392ghsaADVISORY
www.vulncheck.com/advisories/openclaw-exec-allowlist-bypass-via-shell-init-file-optionsnvdThird Party AdvisoryWEB

News mentions

No linked articles in our index yet.

cvss	0.436
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000