CVE-2026-32973

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.11

Description OpenClaw contains an exec allowlist bypass issue where the matchesExecAllowlistPattern function improperly normalizes patterns. This improper normalization, involving lowercasing and glob matching, leads to overmatching on POSIX paths. Attackers can leverage the ? wildcard matching across path segments to execute commands or paths that were not intended by operators. The matchesExecAllowlistPattern function is responsible for validating allowed execution paths, and its flawed pattern handling allows for circumvention of these restrictions.

Recommendations Update OpenClaw to version 2026.3.11 or later.