GHSA-f8r2-vg7x-gh8m
OpenClaw: Exec approval allowlist patterns overmatched on POSIX paths
Details
### Summary
`matchesExecAllowlistPattern` normalized patterns and targets with lowercasing and compiled glob matching too broadly on POSIX. In addition, the `?` wildcard could match `/`, which allowed matches to cross path segments.
### Impact
These matching rules could overmatch allowlist entries and permit commands or executable paths that an operator did not intend to approve.
### Affected versions
`openclaw` `<= 2026.3.8`
### Patch
Fixed in `openclaw` `2026.3.11` and included in later releases such as `2026.3.12`. Exec allowlist matching now respects the intended path semantics, and regression tests cover the POSIX case-folding and slash-crossing cases.
Are you affected?
Enter the version of the package you're using.