CVE-2026-41390

HIGH CVSS 7.3 View on NVD ↗

Description

OpenClaw before 2026.3.28 contains an exec allowlist bypass vulnerability where allow-always persistence fails to unwrap /usr/bin/script and similar wrappers before storing trust decisions. Attackers can obtain user approval for one wrapped command to persist trust for wrapper binaries that execute different underlying programs.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

References

https://github.com/openclaw/openclaw/security/advisories/GHSA-6pfc-6m7w-m8fx
https://www.vulncheck.com/advisories/openclaw-exec-allowlist-bypass-via-unregistered-usr-bin-script-wrapper

Published: Apr 28, 2026 19:37 UTC Modified: Apr 28, 2026 20:10 UTC