CVE-2026-35666

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.22

Description A flaw exists in OpenClaw that allows attackers to bypass restrictions on executable bindings. This is achieved by misusing time wrappers within the system.run approvals functionality. Specifically, the vulnerability lies in the failure to properly unwrap /usr/bin/time wrappers, enabling an allowlist bypass. Attackers can reuse approval state for inner commands by utilizing an unregistered time wrapper.

Recommendations Update to version 2026.3.22 or later.

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-706CWE-863

Related Identifiers

CVE-2026-35666

GHSA-QM9X-V7CX-7RQ4

Affected Products

Openclaw

CVE-2026-35666

Weakness Enumeration

Related Identifiers

Affected Products

References · 9