CVE-2026-32059
Published: 11 March 2026
Summary
CVE-2026-32059 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Openclaw Openclaw. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-7 (Least Functionality).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of command-line inputs including GNU long-option abbreviations to prevent bypass of safeBins allowlist checks.
Enforces access control policies for command execution to block unauthorized sort commands despite validation flaws.
Restricts system functionality to essential approved binaries and options, mitigating risks from incomplete option validation in allowlist mode.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote network exploitation of authorization bypass in safeBins validation logic directly enables T1190 (Exploit Public-Facing Application) and unauthorized Unix command execution via T1059.004 (Unix Shell).
NVD Description
OpenClaw version 2026.2.22-2 prior to 2026.2.23 tools.exec.safeBins validation for sort command fails to properly validate GNU long-option abbreviations, allowing attackers to bypass denied-flag checks via abbreviated options. Remote attackers can execute sort commands with abbreviated long options to skip approval…
more
requirements in allowlist mode.
Deeper analysisAI
CVE-2026-32059 affects OpenClaw versions 2026.2.22-2 and earlier, prior to 2026.2.23, specifically in the tools.exec.safeBins component's validation logic for the sort command. The vulnerability arises from a failure to properly validate GNU long-option abbreviations, which allows attackers to bypass denied-flag checks via these abbreviated options. Classified under CWE-863 (Incorrect Authorization), it has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Remote attackers with low privileges can exploit this vulnerability over the network with low complexity and no user interaction. By crafting sort commands that use abbreviated long options, they bypass approval requirements enforced in allowlist mode, enabling unauthorized execution of the sort command and potentially leading to high impacts on confidentiality, integrity, and availability.
The issue is fixed in OpenClaw version 2026.2.23. Details on the patch are available in the GitHub commit at https://github.com/openclaw/openclaw/commit/3b8e33037ae2e12af7beb56fcf0346f1f8cbde6f, the GitHub security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-3c6h-g97w-fg78, and the VulnCheck advisory at https://www.vulncheck.com/advisories/openclaw-allowlist-bypass-via-sort-long-option-abbreviation-in-toolsexecsafebins.
Details
- CWE(s)