GHSA-f8r2-vg7x-gh8m: Path Overmatching and Command Execution Bypass in OpenClaw

OpenClaw (formerly Moltbot or ClawdBot) is an open-source personal AI assistant system designed to interact with the underlying host operating system. To restrict the capabilities of the AI agent, administrators configure an execution allowlist. This allowlist defines the specific binaries and directory paths the agent is permitted to invoke during operation.

The vulnerability, tracked as GHSA-f8r2-vg7x-gh8m, exists within the matchesExecAllowlistPattern function. This function is responsible for enforcing the allowlist restrictions by comparing requested command paths against predefined operator rules. The implementation fails to correctly normalize paths and applies overly permissive wildcard matching during this evaluation.

These validation failures allow a compromised AI session or an external attacker to craft executable paths that bypass the intended restrictions. The flaw specifically affects POSIX-compliant systems, such as Linux and macOS, where file path semantics and case sensitivity are strictly enforced by the underlying filesystem.

The vulnerability stems from two distinct implementation errors in the matchesExecAllowlistPattern function. The first flaw involves improper normalization (CWE-178). The function normalizes both the allowlist patterns and the target command paths by converting them to lowercase before comparison. Because POSIX file systems are case-sensitive, this forced lowercasing creates a discrepancy between the application's access control logic and the operating system's execution logic.

The second flaw involves improper validation of syntactic correctness (CWE-1286) regarding glob pattern matching. The application uses a glob implementation where the ? wildcard, typically intended to match a single non-separator character, is permitted to match the / (forward slash) directory separator. This behavior deviates from standard secure path-matching paradigms.

When combined, these two issues allow pattern boundaries to be broken. An allowlist entry intended to restrict execution to a specific directory or a specific set of binaries can be coerced into approving paths that traverse outside the intended directory structure or match identically named binaries with different casing schemes.

While exact patch diffs are abstracted, the logical flaw resides in the initial pre-processing and parsing of the path string. The vulnerable implementation applies a blanket .toLowerCase() method to both the user-supplied path and the allowlist pattern prior to executing the glob comparison.

// Vulnerable Conceptual Logic
function matchesExecAllowlistPattern(requestedPath, allowlistPattern) {
    const normalizedReq = requestedPath.toLowerCase();
    const normalizedPat = allowlistPattern.toLowerCase();
    // The glob library here allows '?' to match '/'
    return micromatch.isMatch(normalizedReq, normalizedPat);
}

The fix requires platform-aware normalization. On POSIX systems, case sensitivity must be preserved. Furthermore, the glob matching implementation must be configured or replaced to ensure that the ? wildcard explicitly rejects directory separators, constraining matches to single path segments.

// Patched Conceptual Logic
function matchesExecAllowlistPattern(requestedPath, allowlistPattern) {
    const isPosix = process.platform !== 'win32';
    const req = isPosix ? requestedPath : requestedPath.toLowerCase();
    const pat = isPosix ? allowlistPattern : allowlistPattern.toLowerCase();
    // Glob library configured to strictly prohibit '?' from matching '/'
    return micromatch.isMatch(req, pat, { dot: true, matchBase: false, strictSlashes: true });
}

This structural change ensures that the evaluation context directly mirrors the execution context of the host operating system, preventing authorization bypasses through path manipulation.

Exploitation requires an attacker to interact with the OpenClaw AI session and manipulate the command paths it attempts to execute. The attacker must first understand or infer the contents of the execution allowlist.

If the allowlist contains an entry using the ? wildcard, such as /usr/bin/??, the attacker can supply a path that leverages the separator-matching flaw. By requesting execution of /usr/bin/../tmp/evil.sh, the system evaluates the .. and directory separators against the ?? wildcards. If the wildcards consume the separators, the path is approved, and the attacker achieves execution outside the /usr/bin/ directory.

Alternatively, the attacker can exploit the case sensitivity flaw. If the allowlist permits /opt/Scripts/Safe.sh, an attacker can create a malicious script at /opt/scripts/safe.sh. The application lowercases both paths, resulting in a successful match, while the POSIX operating system executes the attacker's script instead of the administrator's intended script.

The primary consequence of this vulnerability is the unauthorized execution of binaries or scripts on the host operating system. Depending on the privileges granted to the OpenClaw service, an attacker can achieve varying levels of system compromise.

While the CVSS v4 score is calculated as 5.3 (Medium), this base score evaluates the vulnerability in a generic context. In environments where the OpenClaw agent operates with elevated privileges, or where the filesystem permits the creation of arbitrary scripts by unprivileged users, the real-world impact escalates directly to full Remote Code Execution (RCE).

The impact is concentrated entirely on POSIX-compliant operating systems. Windows environments, which natively employ case-insensitive file systems and different path separator semantics, are generally unaffected by the primary normalization vector.

The vulnerability is addressed in OpenClaw versions 2026.3.11 and 2026.3.12. Administrators must upgrade the openclaw npm package to one of these patched releases immediately. The update corrects the path normalization logic to respect POSIX case sensitivity and hardens the glob matching behavior.

If immediate patching is not possible, administrators should audit their existing allowlist configurations. All broad wildcards, specifically the ? and * characters, must be removed or heavily restricted. Explicit, absolute paths should be used for all allowed binaries to eliminate pattern-matching ambiguity.

Furthermore, securing the host environment reduces the exploitation surface. Ensuring that the OpenClaw service runs with the minimum necessary privileges limits the potential damage of a successful bypass. Implementing strict file permissions on directories adjacent to allowed execution paths prevents attackers from staging malicious scripts.