CVE-2026-41380

Description

## Summary Allow-always persistence could trust wrapper carrier executables instead of the actual invoked target when commands were routed through dispatch wrappers. ## Impact A one-time approval could persist a broader future allowlist entry than the operator intended, weakening execution approval boundaries. ## Affected Component `src/infra/exec-approvals-allowlist.ts` ## Fixed Versions - Affected: `<= 2026.3.24` - Patched: `>= 2026.3.28` - Latest stable `2026.3.28` contains the fix. ## Fix Fixed by commit `9ec44fad39` (`Exec approvals: reject wrapper carrier allow-always targets`).

How to fix CVE-2026-41380

To remediate CVE-2026-41380, upgrade the affected package to a fixed version below.

• —upgrade to 2026.3.28 or later

Is CVE-2026-41380 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 2026.3.28

CVSS scores

References (4)

• PATCHgithub.com/openclaw/openclaw
• WEBgithub.com/openclaw/openclaw/commit/9ec44fad390f0bc1c29c3cc418b322560cb0222b
• WEBgithub.com/openclaw/openclaw/releases/tag/v2026.3.28
• WEBgithub.com/openclaw/openclaw/security/advisories/GHSA-p4x4-2r7f-wjxg