OpenClaw versions before 2026.3.11 contain a critical exec allowlist bypass vulnerability in the matchesExecAllowlistPattern function. The vulnerability stems from improper pattern normalization using lowercasing and glob matching that overmatches on POSIX paths. Attackers can exploit the ? wildcard character to match across path segments, allowing execution of commands or paths not intended by system operators. This represents a significant security bypass that could lead to unauthorized command execution. The vulnerability affects the security controls designed to restrict executable paths and commands.