CVE-2026-32023

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.24

Description The software contains an approval gating bypass issue in allowlist mode. Nested transparent dispatch wrappers can suppress shell-wrapper detection, allowing attackers to execute commands without triggering the expected approval prompt in allowlist plus ask=on-miss configurations. The issue stems from a wrapper-depth parsing mismatch in system.run, where nested dispatch wrappers, such as repeated /usr/bin/env, can bypass shell-wrapper detection while still matching allowlist resolution. Specifically, dispatch-wrapper unwrapping stops at MAX DISPATCH WRAPPER DEPTH, and shell-wrapper extraction can return a non-wrapper once the depth is exhausted. This allows allowlist resolution to succeed on partially unwrapped arguments beginning with /usr/bin/env, resulting in the execution of /bin/sh -c ... without requiring approval in allowlist + ask=on-miss mode. The vulnerable component is the system.run function.

Recommendations OpenClaw versions prior to 2026.2.24 should be updated to version 2026.2.24 or later.