Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.3
OpenClaw system.run approvals allow malicious script changes
GHSA-8g75-q649-6pv6
Summary
If you're using OpenClaw's system.run feature, an attacker could trick the system into running a different script than what was approved, by modifying the script after approval but before execution. This could happen if you're using OpenClaw version 2026.3.7 or earlier. To fix this, update to version 2026.3.8 or later.
What to do
- Update openclaw to version 2026.3.8.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.3.7 | 2026.3.8 |
Original title
OpenClaw's system.run approvals did not bind mutable script operands across approval and execution
Original description
OpenClaw's `system.run` approval flow did not bind mutable interpreter-style script operands across approval and execution.
A caller could obtain approval for an execution such as `sh ./script.sh`, rewrite the approved script before execution, and then execute different content under the previously approved command shape. The approved `argv` values remained the same, but the mutable script operand content could drift after approval.
Latest published npm version verified vulnerable: `2026.3.7`
The initial March 7, 2026 fix in `c76d29208bf6a7f058d2cf582519d28069e42240` added approval binding for shell scripts and a narrow interpreter set, but follow-up maintainer review on March 8, 2026 found that `bun` and `deno` script operands still did not produce `mutableFileOperand` snapshots.
A complete fix shipped on March 9, 2026 in `cf3a479bd1204f62eef7dd82b4aa328749ae6c91`, which binds approved `bun` and `deno run` script operands to on-disk file snapshots and denies post-approval script drift before execution.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `<= 2026.3.7`
- Patched version: `2026.3.8`
## Fix Commit(s)
- `c76d29208bf6a7f058d2cf582519d28069e42240`
- `cf3a479bd1204f62eef7dd82b4aa328749ae6c91`
## Release Verification
- npm `2026.3.7` remains vulnerable.
- npm `2026.3.8` contains the completed fix.
Thanks @tdjackey for reporting.
A caller could obtain approval for an execution such as `sh ./script.sh`, rewrite the approved script before execution, and then execute different content under the previously approved command shape. The approved `argv` values remained the same, but the mutable script operand content could drift after approval.
Latest published npm version verified vulnerable: `2026.3.7`
The initial March 7, 2026 fix in `c76d29208bf6a7f058d2cf582519d28069e42240` added approval binding for shell scripts and a narrow interpreter set, but follow-up maintainer review on March 8, 2026 found that `bun` and `deno` script operands still did not produce `mutableFileOperand` snapshots.
A complete fix shipped on March 9, 2026 in `cf3a479bd1204f62eef7dd82b4aa328749ae6c91`, which binds approved `bun` and `deno run` script operands to on-disk file snapshots and denies post-approval script drift before execution.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `<= 2026.3.7`
- Patched version: `2026.3.8`
## Fix Commit(s)
- `c76d29208bf6a7f058d2cf582519d28069e42240`
- `cf3a479bd1204f62eef7dd82b4aa328749ae6c91`
## Release Verification
- npm `2026.3.7` remains vulnerable.
- npm `2026.3.8` contains the completed fix.
Thanks @tdjackey for reporting.
ghsa CVSS3.1
6.3
Vulnerability type
CWE-285
Improper Authorization
CWE-367
Published: 12 Mar 2026 · Updated: 13 Mar 2026 · First seen: 12 Mar 2026