CVE-2026-32009 | THREATINT

Description

OpenClaw versions prior to 2026.2.24 contain a policy bypass vulnerability in the safeBins allowlist evaluation that trusts static default directories including writable package-manager paths like /opt/homebrew/bin and /usr/local/bin. An attacker with write access to these trusted directories can place a malicious binary with the same name as an allowed executable to achieve arbitrary command execution within the OpenClaw runtime context.

PUBLISHED Reserved 2026-03-10 | Published 2026-03-19 | Updated 2026-03-21 | Assigner VulnCheck

HIGH: 7.0CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

MEDIUM: 5.7CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H

Problem types

CWE-426: Untrusted Search Path

Product status

Default status

unaffected

Any version before 2026.2.24

affected

2026.2.24 (semver)

unaffected

Credits

tdjackey reporter

References

github.com/...enclaw/security/advisories/GHSA-5gj7-jf77-q2q2 (GitHub Security Advisory (GHSA-5gj7-jf77-q2q2)) third-party-advisory

github.com/...ommit/b67e600bff696ff2ed9b470826590c0ce6b3bb0a (Patch Commit) patch

www.vulncheck.com/...default-trusted-directories-in-safebins (VulnCheck Advisory: OpenClaw < 2026.2.24 - Binary Hijacking via Static Default Trusted Directories in safeBins) third-party-advisory

cve.org (CVE-2026-32009)

nvd.nist.gov (CVE-2026-32009)

Download JSON