Openclaw · Openclaw · CVE-2026-41390
**Name of the Vulnerable Software and Affected Versions**
OpenClaw versions prior to 2026.3.28
**Description**
An exec allowlist bypass exists where allow-always persistence fails to unwrap `/usr/bin/script` and similar wrappers before storing trust decisions. This allows attackers to obtain user approval for a single wrapped command to persist trust for wrapper binaries that execute different underlying programs.
**Recommendations**
Update to version 2026.3.28.