OpenClaw gateway incorrectly trusts some executable files

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.3

OpenClaw gateway incorrectly trusts some executable files

GHSA-p4x4-2r7f-wjxg

Summary

A bug in the OpenClaw gateway allows it to trust certain executable files too easily, potentially allowing unauthorized access. This could happen if a user allows an executable once, and it might be used to allow other executables in the future. To fix this, update to version 2026.3.28 or later.

What to do

Update GitHub Actions openclaw to version 2026.3.28.

Affected software

Vendor	Product	Affected versions	Fix available
GitHub Actions	openclaw	<= 2026.3.24	2026.3.28

Original title

OpenClaw gateway exec allow-always over-trusts positional carrier executables

Original description

## Summary

Allow-always persistence could trust wrapper carrier executables instead of the actual invoked target when commands were routed through dispatch wrappers.

## Impact

A one-time approval could persist a broader future allowlist entry than the operator intended, weakening execution approval boundaries.

## Affected Component

`src/infra/exec-approvals-allowlist.ts`

## Fixed Versions

- Affected: `<= 2026.3.24`
- Patched: `>= 2026.3.28`
- Latest stable `2026.3.28` contains the fix.

## Fix

Fixed by commit `9ec44fad39` (`Exec approvals: reject wrapper carrier allow-always targets`).

ghsa CVSS3.1 7.3

Vulnerability type

CWE-863 Incorrect Authorization

Published: 1 Apr 2026 · Updated: 1 Apr 2026 · First seen: 1 Apr 2026