VDB
KO
MEDIUM

GHSA-f8r2-vg7x-gh8m

OpenClaw: Exec approval allowlist patterns overmatched on POSIX paths

Details

### Summary

`matchesExecAllowlistPattern` normalized patterns and targets with lowercasing and compiled glob matching too broadly on POSIX. In addition, the `?` wildcard could match `/`, which allowed matches to cross path segments.

### Impact

These matching rules could overmatch allowlist entries and permit commands or executable paths that an operator did not intend to approve.

### Affected versions

`openclaw` `<= 2026.3.8`

### Patch

Fixed in `openclaw` `2026.3.11` and included in later releases such as `2026.3.12`. Exec allowlist matching now respects the intended path semantics, and regression tests cover the POSIX case-folding and slash-crossing cases.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / openclaw
Introduced in: 0 Fixed in: 2026.3.11
Fix npm install openclaw@2026.3.11

References