Cyber Posture

CVE-2026-43530

HighPublic PoC

Published: 05 May 2026

Published
05 May 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0005 15.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

OpenClaw versions 2026.2.23 before 2026.4.12 contain a weakened exec approval binding vulnerability in busybox and toybox applet execution that allows attackers to obscure which applet would actually run. Attackers can exploit opaque multi-call binaries to bypass exec approval mechanisms and…

more

weaken risk classification of unsafe applet invocations.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the weakened exec approval binding vulnerability in OpenClaw's busybox and toybox by requiring timely patching to version 2026.4.12 or later.

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations for execution of specific applets, preventing bypass via opaque multi-call binaries that obscure the actual applet run.

AC-25 Reference Monitor good match
prevent

Implements a reference monitor to mediate and correctly identify applet execution attempts in multi-call binaries, blocking unauthorized invocations despite obfuscation.

Security SummaryAI

CVE-2026-43530 is a weakened exec approval binding vulnerability in OpenClaw versions 2026.2.23 before 2026.4.12, specifically affecting busybox and toybox applet execution. The flaw allows attackers to obscure which applet would actually run by exploiting opaque multi-call binaries, thereby bypassing exec approval mechanisms and weakening risk classification of unsafe applet invocations. Published on 2026-05-05, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-863 (Incorrect Authorization).

Attackers with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation enables high-impact outcomes on confidentiality, integrity, and availability (C:H/I:H/A:H), allowing adversaries to execute unintended or unsafe applets while evading approval checks and risk assessments.

Mitigation details are provided in official advisories, including a patch commit at https://github.com/openclaw/openclaw/commit/666f48d9b882a8a1415ca53f9567c72499d850c9, the GitHub Security Advisory GHSA-2cq5-mf3v-mx44 at https://github.com/openclaw/openclaw/security/advisories/GHSA-2cq5-mf3v-mx44, and analysis from VulnCheck at https://www.vulncheck.com/advisories/openclaw-weakened-exec-approval-binding-via-busybox-and-toybox-applet-execution. Upgrading to OpenClaw 2026.4.12 or later addresses the issue.

Details

CWE(s)
CWE-863

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
T1202 Indirect Command Execution Stealth
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
attack.mitre.org →
Why these techniques?

Bypasses exec approval on busybox/toybox multi-call binaries, directly enabling Unix shell applet execution and indirect command execution to evade approval/risk controls.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

References