Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.1
OpenClaw: Misleading Approval Text in Node-Host Executions
GHSA-rw39-5899-8mxp
Summary
OpenClaw's approval text for node-host executions may not accurately reflect the actual command being run, potentially allowing attackers to execute different code than what's displayed. This affects OpenClaw versions 2026.3.8 and earlier. To fix this, upgrade to version 2026.3.11 or later.
What to do
- Update openclaw to version 2026.3.11.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.3.11 | 2026.3.11 |
Original title
OpenClaw: Node-host approvals could show misleading shell payloads instead of the executed argv
Original description
## Summary
In affected versions of `openclaw`, node-host `system.run` approvals could display only an extracted shell payload such as `jq --version` while execution still ran a different outer wrapper argv such as `./env sh -c 'jq --version'`.
## Impact
This is an approval-integrity bug. An attacker who could place or select a local wrapper binary and induce a wrapper-shaped command could get local code executed after the operator approved misleading command text.
## Affected Packages and Versions
- Package: `openclaw` (npm)
- Affected versions: `<= 2026.3.8`
- Fixed in: `2026.3.11`
## Technical Details
Wrapper resolution normalized executables by basename and extracted inner shell payload text for approval display, while execution still preserved the full wrapper argv. Approval storage and UI therefore showed text that did not match the exact command OpenClaw would execute.
## Fix
OpenClaw now binds approvals to the exact executed argv and keeps extracted shell payload text only as secondary preview data. The fix shipped in `[email protected]`.
## Workarounds
Upgrade to `2026.3.11` or later.
In affected versions of `openclaw`, node-host `system.run` approvals could display only an extracted shell payload such as `jq --version` while execution still ran a different outer wrapper argv such as `./env sh -c 'jq --version'`.
## Impact
This is an approval-integrity bug. An attacker who could place or select a local wrapper binary and induce a wrapper-shaped command could get local code executed after the operator approved misleading command text.
## Affected Packages and Versions
- Package: `openclaw` (npm)
- Affected versions: `<= 2026.3.8`
- Fixed in: `2026.3.11`
## Technical Details
Wrapper resolution normalized executables by basename and extracted inner shell payload text for approval display, while execution still preserved the full wrapper argv. Approval storage and UI therefore showed text that did not match the exact command OpenClaw would execute.
## Fix
OpenClaw now binds approvals to the exact executed argv and keeps extracted shell payload text only as secondary preview data. The fix shipped in `[email protected]`.
## Workarounds
Upgrade to `2026.3.11` or later.
ghsa CVSS3.1
7.1
Vulnerability type
CWE-436
CWE-863
Incorrect Authorization
Published: 13 Mar 2026 · Updated: 14 Mar 2026 · First seen: 13 Mar 2026