Four CVEs affecting OpenClaw were publicly disclosed on March 19, all within the same 13-hour window. RedPacket Security flagged all four with blanket upgrade-immediately guidance: every one requires patching to version 2026.3.1 or later.

The disclosures span denial-of-service, authorization bypass, and guardrail escape:

The Allowlist Bypass Is the One That Matters

CVE-2026-31992 deserves specific attention. OpenClaw’s system.run allowlist is one of the primary mechanisms operators use to constrain what their AI agents can do on a host system. If an operator configures the allowlist to block rm -rf / or curl commands to external servers, those restrictions are supposed to hold. This CVE means they didn’t. An authenticated user could escape those guardrails and run commands the operator explicitly prohibited.

For enterprise deployments where the allowlist represents a security boundary between the AI agent and the host operating system, this is a material vulnerability. The whole point of the allowlist is to create a sandbox that limits what agents can do. A bypass turns that sandbox into a suggestion.

Timing Compounds the Problem

These disclosures landed in a week already saturated with agent security news. Oasis Security raised $120 million for agent identity management on the same day. The broader industry has been arguing that agent security is a serious, unsolved problem. Four CVEs in one day, especially one that bypasses the very guardrails designed to contain agent behavior, provide the evidence.

What Operators Should Do

Upgrade to OpenClaw 2026.3.1 immediately. If you’re running an OpenClaw instance with system.run allowlists as a security control, treat CVE-2026-31992 as a high-priority patch. Review your agent logs for any commands that should have been blocked but weren’t. And if your deployment is internet-facing, the Zalo webhook DoS (CVE-2026-28461) doesn’t require authentication and is exploitable by anyone who can reach the endpoint.