CVE-2026-32973
Published: 29 March 2026
Summary
CVE-2026-32973 is a critical-severity Permissive Regular Expression (CWE-625) vulnerability in Openclaw Openclaw. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-10 (Software Usage Restrictions) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates timely remediation of the specific flaw in OpenClaw's matchesExecAllowlistPattern function through patching to version 2026.3.11 or later, directly preventing exploitation of the exec allowlist bypass.
Enforces deny-all, permit-by-exception policies for software execution, providing robust whitelisting that mitigates reliance on the vulnerable OpenClaw exec allowlist mechanism.
Applies least privilege to processes using OpenClaw, restricting the scope and impact of arbitrary command execution enabled by the allowlist bypass.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauth exec allowlist bypass in public-facing app directly enables T1190 exploitation and arbitrary Unix/POSIX command execution via T1059.004.
NVD Description
OpenClaw before 2026.3.11 contains an exec allowlist bypass vulnerability where matchesExecAllowlistPattern improperly normalizes patterns with lowercasing and glob matching that overmatches on POSIX paths. Attackers can exploit the ? wildcard matching across path segments to execute commands or paths not…
more
intended by operators.
Deeper analysisAI
CVE-2026-32973 is an exec allowlist bypass vulnerability in OpenClaw versions before 2026.3.11. The flaw occurs in the matchesExecAllowlistPattern function, which improperly normalizes patterns using lowercasing and glob matching, resulting in overmatching on POSIX paths. Attackers can leverage the ? wildcard to match across path segments, enabling execution of commands or paths not intended by operators. This issue is classified under CWE-625 and was published on 2026-03-29.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), making it critically severe due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and high impacts on confidentiality, integrity, and availability. Remote attackers without authentication can exploit it to bypass exec allowlists and execute arbitrary commands or unintended paths on affected systems.
Mitigation details are provided in advisories from OpenClaw at https://github.com/openclaw/openclaw/security/advisories/GHSA-f8r2-vg7x-gh8m and VulnCheck at https://www.vulncheck.com/advisories/openclaw-exec-allowlist-pattern-overmatch-via-posix-path-normalization. Upgrading to OpenClaw 2026.3.11 or later addresses the vulnerability, as prior versions are explicitly affected.
Details
- CWE(s)