Description

OpenClaw versions prior to 2026.2.22 contain an allowlist parsing mismatch vulnerability in the macOS companion app that allows authenticated operators to bypass exec approval checks. Attackers with operator.write privileges and a paired macOS beta node can craft shell-chain payloads that pass incomplete allowlist validation and execute arbitrary commands on the paired host.

INFO

Published Date :

2026-03-19T01:00:51.999Z

Last Modified :

2026-03-19T01:00:51.999Z

Source :

VulnCheck
AFFECTED PRODUCTS

The following products are affected by CVE-2026-31993 vulnerability.

Vendors Products
Openclaw
  • Openclaw
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-31993.

URL Resource
https://github.com/openclaw/openclaw/commit/5da03e622119fa012285cdb590fcf4264c965cb5 cve-icon cve-icon
https://github.com/openclaw/openclaw/commit/e371da38aab99521c4e076cd3d95fd775e00b784 cve-icon cve-icon
https://github.com/openclaw/openclaw/security/advisories/GHSA-5f9p-f3w2-fwch cve-icon cve-icon
https://www.vulncheck.com/advisories/openclaw-allowlist-parsing-mismatch-in-system-run-shell-chains cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact