Skip to content
CVSS 7.3 · HIGH

CVE-2026-41390

OpenClaw before 2026.3.28 contains an exec allowlist bypass vulnerability where allow-always persistence fails to unwrap /usr/bin/script and similar wrappers before storing trust decisions. Attackers can obtain user approval for one wrapped command to persist trust for wrapper binaries that execute different underlying programs.

Ver en NVD

Análisis

OpenClaw is an open-source game engine project with very limited relevance to the professional web, mobile, and backend developer community. While the exec allowlist bypass is a legitimate security issue for its users, it does not impact the common open-source stack or infrastructure tools used by this community.

Severidad

Puntaje: 7.3(HIGH)
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
AV: LOCAL
AC: LOW
PR: LOW
UI: REQUIRED
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH
Tipo de falla (CWE): CWE-807

EPSS

Probabilidad de explotación (próx. 30 días): 0.0002 (0.0%)
Percentil: 6.4%
EPSS: 2026-05-06

Afecta

openclaw:openclaw

Descripción técnica

OpenClaw before 2026.3.28 contains an exec allowlist bypass vulnerability where allow-always persistence fails to unwrap /usr/bin/script and similar wrappers before storing trust decisions. Attackers can obtain user approval for one wrapped command to persist trust for wrapper binaries that execute different underlying programs.

Publicada: 28/4/2026, 19:37:42
Última modificación: 30/4/2026, 20:38:27

Referencias

InicioEventosBlogRecursosEquipo