OpenClaw < 2026.2.22 - Path Traversal via Basename-Only Allowlist Matching on macOS | Advisories

Advisories

OpenClaw < 2026.2.22 - Path Traversal via Basename-Only Allowlist Matching on macOS

severity: high
date: 3/19/2026
Affecting: OpenClaw < 2026.2.22
CVE: CVE-2026-32016
CWE: CWE-426 Untrusted Search Path
CVSS: 7.3
CVSS V4 Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: GitHub Security Advisory (GHSA-7f4q-9rqh-x36p)
Patch Commit
Credit: tdjackey
Description: OpenClaw versions prior to 2026.2.22 on macOS contain a path validation bypass vulnerability in the exec-approval allowlist mode that allows local attackers to execute unauthorized binaries by exploiting basename-only allowlist entries. Attackers can execute same-name local binaries ./echo without approval when security=allowlist and ask=on-miss are configured, bypassing intended path-based policy restrictions.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo