Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.7
OpenClaw 2026.3.1 Node System Run Approval Bypass
GHSA-h3rm-6x7g-882f
Summary
A security issue in OpenClaw version 2026.3.1 allows attackers to execute unintended local scripts by manipulating the system.run approval process. This can happen when an attacker places a malicious file in the approved working directory and convinces an operator to approve a command that appears safe but actually runs the malicious file. To fix this issue, update to OpenClaw version 2026.3.2 or later.
What to do
- Update openclaw to version 2026.3.2.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | 2026.3.1 | 2026.3.2 |
Original title
OpenClaw's Node system.run approval hardening wrapper semantic drift can execute unintended local scripts
Original description
### Summary
In `[email protected]`, node `system.run` approval-path hardening rewrote wrapper command argv in a way that changed execution semantics. A command shown/approved as a shell payload (for example `echo SAFE`) could execute a different local script when wrapper argv were rewritten.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected: `2026.3.1` (latest published npm version as of March 2, 2026)
- Fixed release: `2026.3.2` (released)
### Technical Details
Root cause was in node-host approval hardening for `system.run`:
- `src/node-host/invoke-system-run-plan.ts` rewrote `argv[0]` to the resolved executable.
- Wrapper resolution unwrapped dispatch wrappers, so input like `['env','sh','-c','echo SAFE']` resolved executable `sh`.
- The approved plan could become `['/bin/sh','sh','-c','echo SAFE']` while approval text remained `echo SAFE`.
That rewrite changed runtime behavior: `/bin/sh` interprets the extra `sh` positional argument as a script path, enabling execution of a local `./sh` file from approved `cwd` instead of the approved payload text.
### Impact
Approval-integrity break in `host=node` execution flow: operator-visible command text and executed behavior could diverge.
Exploit preconditions:
- attacker can influence wrapper argv and place a local file in approved working directory,
- operator grants approval for the displayed command.
### Fix Commit(s)
- `dded569626b0d8e7bdab10b5e7528b6caf73a0f1`
### Fixed Version
- Patched in `[email protected]`.
In `[email protected]`, node `system.run` approval-path hardening rewrote wrapper command argv in a way that changed execution semantics. A command shown/approved as a shell payload (for example `echo SAFE`) could execute a different local script when wrapper argv were rewritten.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected: `2026.3.1` (latest published npm version as of March 2, 2026)
- Fixed release: `2026.3.2` (released)
### Technical Details
Root cause was in node-host approval hardening for `system.run`:
- `src/node-host/invoke-system-run-plan.ts` rewrote `argv[0]` to the resolved executable.
- Wrapper resolution unwrapped dispatch wrappers, so input like `['env','sh','-c','echo SAFE']` resolved executable `sh`.
- The approved plan could become `['/bin/sh','sh','-c','echo SAFE']` while approval text remained `echo SAFE`.
That rewrite changed runtime behavior: `/bin/sh` interprets the extra `sh` positional argument as a script path, enabling execution of a local `./sh` file from approved `cwd` instead of the approved payload text.
### Impact
Approval-integrity break in `host=node` execution flow: operator-visible command text and executed behavior could diverge.
Exploit preconditions:
- attacker can influence wrapper argv and place a local file in approved working directory,
- operator grants approval for the displayed command.
### Fix Commit(s)
- `dded569626b0d8e7bdab10b5e7528b6caf73a0f1`
### Fixed Version
- Patched in `[email protected]`.
ghsa CVSS3.1
6.7
Vulnerability type
CWE-88
Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026