Vulnerability Details CVE-2026-43530
OpenClaw versions 2026.2.23 before 2026.4.12 contain a weakened exec approval binding vulnerability in busybox and toybox applet execution that allows attackers to obscure which applet would actually run. Attackers can exploit opaque multi-call binaries to bypass exec approval mechanisms and weaken risk classification of unsafe applet invocations.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 21.4%
CVSS Severity
CVSS v3 Score 8.8
References
Products affected by CVE-2026-43530
-
cpe:2.3:a:openclaw:openclaw:2026.2.23
-
cpe:2.3:a:openclaw:openclaw:2026.2.24
-
cpe:2.3:a:openclaw:openclaw:2026.2.25
-
cpe:2.3:a:openclaw:openclaw:2026.2.26
-
cpe:2.3:a:openclaw:openclaw:2026.2.61
-
cpe:2.3:a:openclaw:openclaw:2026.2.62
-
cpe:2.3:a:openclaw:openclaw:2026.2.63
-
cpe:2.3:a:openclaw:openclaw:2026.3.1
-
cpe:2.3:a:openclaw:openclaw:2026.3.11
-
cpe:2.3:a:openclaw:openclaw:2026.3.12
-
cpe:2.3:a:openclaw:openclaw:2026.3.13
-
cpe:2.3:a:openclaw:openclaw:2026.3.2
-
cpe:2.3:a:openclaw:openclaw:2026.3.22
-
cpe:2.3:a:openclaw:openclaw:2026.3.23
-
cpe:2.3:a:openclaw:openclaw:2026.3.23-2
-
cpe:2.3:a:openclaw:openclaw:2026.3.24
-
cpe:2.3:a:openclaw:openclaw:2026.3.25
-
cpe:2.3:a:openclaw:openclaw:2026.3.28
-
cpe:2.3:a:openclaw:openclaw:2026.3.31
-
cpe:2.3:a:openclaw:openclaw:2026.3.7
-
cpe:2.3:a:openclaw:openclaw:2026.3.8
-
cpe:2.3:a:openclaw:openclaw:2026.4.1
-
cpe:2.3:a:openclaw:openclaw:2026.4.10
-
cpe:2.3:a:openclaw:openclaw:2026.4.11
-
cpe:2.3:a:openclaw:openclaw:2026.4.2
-
cpe:2.3:a:openclaw:openclaw:2026.4.4
-
cpe:2.3:a:openclaw:openclaw:2026.4.5
-
cpe:2.3:a:openclaw:openclaw:2026.4.7
-
cpe:2.3:a:openclaw:openclaw:2026.4.7-1
-
cpe:2.3:a:openclaw:openclaw:2026.4.8
-
cpe:2.3:a:openclaw:openclaw:2026.4.9