CVE-2026-31993

Published: Mar 19, 2026 Last Modified: Mar 19, 2026

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 5,6

Source: [email protected]

Attack Vector: network

Attack Complexity: high

Privileges Required: high

User Interaction: active

Confidentiality: N/A

Integrity: N/A

Availability: N/A

MEDIUM 4,8

Source: [email protected]

Attack Vector: network

Attack Complexity: high

Privileges Required: high

User Interaction: required

Scope: unchanged

Confidentiality: none

Integrity: high

Availability: low

Description

AI Translation Available

OpenClaw versions prior to 2026.2.22 contain an allowlist parsing mismatch vulnerability in the macOS companion app that allows authenticated operators to bypass exec approval checks. Attackers with operator.write privileges and a paired macOS beta node can craft shell-chain payloads that pass incomplete allowlist validation and execute arbitrary commands on the paired host.

184

Incomplete List of Disallowed Inputs

Draft

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Access Control

Potential Impacts:

Bypass Protection Mechanism

Applicable Platforms

All platforms may be affected

View CWE Details

https://github.com/openclaw/openclaw/commit/5da03e622119fa0…

https://github.com/openclaw/openclaw/commit/5da03e622119fa012285cdb590fcf4264c9…

https://github.com/openclaw/openclaw/commit/e371da38aab9952…

https://github.com/openclaw/openclaw/commit/e371da38aab99521c4e076cd3d95fd775e0…

https://github.com/openclaw/openclaw/security/advisories/GH…

https://github.com/openclaw/openclaw/security/advisories/GHSA-5f9p-f3w2-fwch

https://www.vulncheck.com/advisories/openclaw-allowlist-par…

https://www.vulncheck.com/advisories/openclaw-allowlist-parsing-mismatch-in-sys…