QwikSec

Security Database

CVE

CWE

Training

CVE-2026-31993

Published: Mar 19, 2026

Modified: Mar 23, 2026

PUBLISHED

CVSS v3.1

4.8

MEDIUM

Description

OpenClaw versions prior to 2026.2.22 contain an allowlist parsing mismatch vulnerability in the macOS companion app that allows authenticated operators to bypass exec approval checks. Attackers with operator.write privileges and a paired macOS beta node can craft shell-chain payloads that pass incomplete allowlist validation and execute arbitrary commands on the paired host.

Vendor	Product	Versions
OpenClaw	OpenClaw	affected `0 - < 2026.2.22`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:L

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

Low

References

GitHub Security Advisory (GHSA-5f9p-f3w2-fwch)

third-party-advisory

patch

patch

VulnCheck Advisory: OpenClaw < 2026.2.22 - Allowlist Parsing Mismatch in system.run Shell Chains

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.