OpenClaw: Malicious executables may be allowed due to incorrect path matching

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.9

OpenClaw: Malicious executables may be allowed due to incorrect path matching

GHSA-f8r2-vg7x-gh8m

Summary

A bug in OpenClaw allows malicious executables to be accidentally approved if their path contains specific characters. This could lead to unauthorized access or actions. To fix, update to OpenClaw version 2026.3.11 or later.

What to do

Update openclaw to version 2026.3.11.

Affected software

Vendor	Product	Affected versions	Fix available
–	openclaw	<= 2026.3.8	2026.3.11

Original title

OpenClaw: Exec approval allowlist patterns overmatched on POSIX paths

Original description

### Summary

`matchesExecAllowlistPattern` normalized patterns and targets with lowercasing and compiled glob matching too broadly on POSIX. In addition, the `?` wildcard could match `/`, which allowed matches to cross path segments.

### Impact

These matching rules could overmatch allowlist entries and permit commands or executable paths that an operator did not intend to approve.

### Affected versions

`openclaw` `<= 2026.3.8`

### Patch

Fixed in `openclaw` `2026.3.11` and included in later releases such as `2026.3.12`. Exec allowlist matching now respects the intended path semantics, and regression tests cover the POSIX case-folding and slash-crossing cases.

ghsa CVSS4.0 6.9

Vulnerability type

CWE-178

CWE-625

Published: 13 Mar 2026 · Updated: 14 Mar 2026 · First seen: 13 Mar 2026