Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.5
OpenClaw Node system.run approval context-binding weakness in approval-enabled host=node flows
GHSA-hjvp-qhm6-wrh2
Summary
### Summary
In approval-enabled `host=node` workflows, `system.run` approvals did not always carry a strict, versioned execution-context binding. In uncommon setups that rely on these approvals as an integrity guardrail, a previously approved request could be reused with changed env input.
### Affe...
What to do
- Update steipete openclaw to version 2026.2.26.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| steipete | openclaw | <= 2026.2.26 | 2026.2.26 |
Original title
OpenClaw Node system.run approval context-binding weakness in approval-enabled host=node flows
Original description
### Summary
In approval-enabled `host=node` workflows, `system.run` approvals did not always carry a strict, versioned execution-context binding. In uncommon setups that rely on these approvals as an integrity guardrail, a previously approved request could be reused with changed env input.
### Affected Packages / Versions
- Package: npm `openclaw`
- Latest published npm version at triage: `2026.2.25`
- Affected range: `<= 2026.2.25`
- Planned fixed version (next npm release): `2026.2.26`
### Preconditions / Typical Exposure
This requires all of the following:
- `system.run` usage through `host=node`
- Exec approvals enabled and used as an execution-integrity control
- Access to an approval id in the same context
Most default single-operator local setups do not rely on this path, so practical exposure is typically lower.
### Details
Approval matching now uses a required versioned binding (`systemRunBindingV1`) over command argv, cwd, agent/session context, and env hash.
The fix:
- Requires `commandArgv` when requesting `host=node` approvals.
- Requires `systemRunBindingV1` when consuming approvals for node `system.run`.
- Removes legacy non-versioned fallback matching and fails closed on missing/mismatched bindings.
- Keeps env mismatch handling explicit and blocks `GIT_EXTERNAL_DIFF` in host env policy.
- Adds/updates regression and contract coverage for mismatch mapping and binding rules.
### Impact
Configuration-dependent approval-integrity weakness in node-host exec approval flows. Severity remains `medium` because exploitation depends on this specific approval mode and context.
### Fix Commit(s)
- `10481097f8e6dd0346db9be0b5f27570e1bdfcfa`
### Release Process Note
`patched_versions` is pre-set to the planned next release (`2026.2.26`) so once npm release `2026.2.26` is published, the advisory can be published without further metadata edits.
OpenClaw thanks @tdjackey for reporting.
In approval-enabled `host=node` workflows, `system.run` approvals did not always carry a strict, versioned execution-context binding. In uncommon setups that rely on these approvals as an integrity guardrail, a previously approved request could be reused with changed env input.
### Affected Packages / Versions
- Package: npm `openclaw`
- Latest published npm version at triage: `2026.2.25`
- Affected range: `<= 2026.2.25`
- Planned fixed version (next npm release): `2026.2.26`
### Preconditions / Typical Exposure
This requires all of the following:
- `system.run` usage through `host=node`
- Exec approvals enabled and used as an execution-integrity control
- Access to an approval id in the same context
Most default single-operator local setups do not rely on this path, so practical exposure is typically lower.
### Details
Approval matching now uses a required versioned binding (`systemRunBindingV1`) over command argv, cwd, agent/session context, and env hash.
The fix:
- Requires `commandArgv` when requesting `host=node` approvals.
- Requires `systemRunBindingV1` when consuming approvals for node `system.run`.
- Removes legacy non-versioned fallback matching and fails closed on missing/mismatched bindings.
- Keeps env mismatch handling explicit and blocks `GIT_EXTERNAL_DIFF` in host env policy.
- Adds/updates regression and contract coverage for mismatch mapping and binding rules.
### Impact
Configuration-dependent approval-integrity weakness in node-host exec approval flows. Severity remains `medium` because exploitation depends on this specific approval mode and context.
### Fix Commit(s)
- `10481097f8e6dd0346db9be0b5f27570e1bdfcfa`
### Release Process Note
`patched_versions` is pre-set to the planned next release (`2026.2.26`) so once npm release `2026.2.26` is published, the advisory can be published without further metadata edits.
OpenClaw thanks @tdjackey for reporting.
ghsa CVSS3.1
5.5
Vulnerability type
CWE-15
CWE-863
Incorrect Authorization
Published: 2 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026