CVE-2026-43530
Published: 05 May 2026
Summary
CVE-2026-43530 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Openclaw Openclaw. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 16.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the weakened exec approval binding vulnerability in OpenClaw's busybox and toybox by requiring timely patching to version 2026.4.12 or later.
Enforces approved authorizations for execution of specific applets, preventing bypass via opaque multi-call binaries that obscure the actual applet run.
Implements a reference monitor to mediate and correctly identify applet execution attempts in multi-call binaries, blocking unauthorized invocations despite obfuscation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Bypasses exec approval on busybox/toybox multi-call binaries, directly enabling Unix shell applet execution and indirect command execution to evade approval/risk controls.
NVD Description
OpenClaw versions 2026.2.23 before 2026.4.12 contain a weakened exec approval binding vulnerability in busybox and toybox applet execution that allows attackers to obscure which applet would actually run. Attackers can exploit opaque multi-call binaries to bypass exec approval mechanisms and…
more
weaken risk classification of unsafe applet invocations.
Deeper analysisAI
CVE-2026-43530 is a weakened exec approval binding vulnerability in OpenClaw versions 2026.2.23 before 2026.4.12, specifically affecting busybox and toybox applet execution. The flaw allows attackers to obscure which applet would actually run by exploiting opaque multi-call binaries, thereby bypassing exec approval mechanisms and weakening risk classification of unsafe applet invocations. Published on 2026-05-05, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-863 (Incorrect Authorization).
Attackers with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation enables high-impact outcomes on confidentiality, integrity, and availability (C:H/I:H/A:H), allowing adversaries to execute unintended or unsafe applets while evading approval checks and risk assessments.
Mitigation details are provided in official advisories, including a patch commit at https://github.com/openclaw/openclaw/commit/666f48d9b882a8a1415ca53f9567c72499d850c9, the GitHub Security Advisory GHSA-2cq5-mf3v-mx44 at https://github.com/openclaw/openclaw/security/advisories/GHSA-2cq5-mf3v-mx44, and analysis from VulnCheck at https://www.vulncheck.com/advisories/openclaw-weakened-exec-approval-binding-via-busybox-and-toybox-applet-execution. Upgrading to OpenClaw 2026.4.12 or later addresses the issue.
Details
- CWE(s)