PT-2026-35776 · Openclaw · Openclaw
Cyjhhh
·
Published
2026-04-07
·
Updated
2026-04-30
·
CVE-2026-41392
CVSS v3.1
7.3
High
| Vector | AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
OpenClaw versions prior to 2026.3.31
Description
An exec allowlist bypass allows attackers to inherit allowlist trust through shell init-file wrapper invocations. By utilizing shell options such as
--rcfile, --init-file, and --startup-file, attackers can load initialization files of their choice, bypassing the matching restrictions of the exec allowlist.Recommendations
Update to version 2026.3.31.
Fix
Incomplete List of Disallowed Inputs
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openclaw