CVE-2026-41380

HIGH7.3EPSS 0.03%

OpenClaw gateway exec allow-always over-trusts positional carrier executables

發布日:2026/4/1修改日:2026/4/28

描述

## Summary Allow-always persistence could trust wrapper carrier executables instead of the actual invoked target when commands were routed through dispatch wrappers. ## Impact A one-time approval could persist a broader future allowlist entry than the operator intended, weakening execution approval boundaries. ## Affected Component `src/infra/exec-approvals-allowlist.ts` ## Fixed Versions - Affected: `<= 2026.3.24` - Patched: `>= 2026.3.28` - Latest stable `2026.3.28` contains the fix. ## Fix Fixed by commit `9ec44fad39` (`Exec approvals: reject wrapper carrier allow-always targets`).

受影響套件(1)

npm/openclawfrom 0, < 2026.3.28

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH7.3	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

參考連結(4)

PATCHhttps://github.com/openclaw/openclaw
WEBhttps://github.com/openclaw/openclaw/commit/9ec44fad390f0bc1c29c3cc418b322560cb0222b
WEBhttps://github.com/openclaw/openclaw/releases/tag/v2026.3.28
WEBhttps://github.com/openclaw/openclaw/security/advisories/GHSA-p4x4-2r7f-wjxg