CVE-2026-32022: OpenClaw safeBins grep -e File Read Bypass (stdin-only policy bypass)

March 3, 2026 (updated March 19, 2026)

OpenClaw tools.exec.safeBins had a stdin-only policy bypass for grep. If pattern input was supplied through -e / --regexp, the validator consumed the pattern as a flag value and still allowed one positional operand. That positional could be a bare filename like .env.

References

github.com/advisories/GHSA-3xfw-4pmr-4xc5
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/c6ee14d60e4cbd6a82f9b2d74ebeb1e8ee814964
github.com/openclaw/openclaw/security/advisories/GHSA-3xfw-4pmr-4xc5
nvd.nist.gov/vuln/detail/CVE-2026-32022

Code Behaviors & Features

Detect and mitigate CVE-2026-32022 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →