Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
OpenClaw: Approval Bypass via Trailing Spaces on Executable Tokens
GHSA-hwpq-rrpf-pgcq
Summary
A security flaw in OpenClaw allows an attacker to trick users into approving a command, but execute a different program. This can lead to unexpected behavior when an attacker has control over the command arguments. To fix this issue, update OpenClaw to version 2026.2.25 or later.
What to do
- Update openclaw to version 2026.2.25.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.24 | 2026.2.25 |
Original title
OpenClaw: system.run approval identity mismatch could execute a different binary than displayed
Original description
### Summary
`system.run` approvals in OpenClaw used rendered command text as the approval identity while trimming argv token whitespace. Runtime execution still used raw argv. A crafted trailing-space executable token could therefore execute a different binary than what the approver saw.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `<= 2026.2.24`
- Patched versions: `>= 2026.2.25`
### Impact
This is an approval-integrity bypass that can lead to unexpected command execution under the OpenClaw runtime user when an attacker can influence `command` argv and reuse/obtain a matching approval context.
### Trust Model Note
OpenClaw does not treat adversarial multi-user sharing of one gateway host/config as a supported security boundary. This finding is still valid in supported deployments because it breaks the operator approval boundary itself (approved display command vs executed argv).
### Fix Commit(s)
- `03e689fc89bbecbcd02876a95957ef1ad9caa176`
### Release Process Note
`patched_versions` is pre-set to the release (`2026.2.25`). Advisory published with npm release `2026.2.25`.
OpenClaw thanks @tdjackey for reporting.
`system.run` approvals in OpenClaw used rendered command text as the approval identity while trimming argv token whitespace. Runtime execution still used raw argv. A crafted trailing-space executable token could therefore execute a different binary than what the approver saw.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `<= 2026.2.24`
- Patched versions: `>= 2026.2.25`
### Impact
This is an approval-integrity bypass that can lead to unexpected command execution under the OpenClaw runtime user when an attacker can influence `command` argv and reuse/obtain a matching approval context.
### Trust Model Note
OpenClaw does not treat adversarial multi-user sharing of one gateway host/config as a supported security boundary. This finding is still valid in supported deployments because it breaks the operator approval boundary itself (approved display command vs executed argv).
### Fix Commit(s)
- `03e689fc89bbecbcd02876a95957ef1ad9caa176`
### Release Process Note
`patched_versions` is pre-set to the release (`2026.2.25`). Advisory published with npm release `2026.2.25`.
OpenClaw thanks @tdjackey for reporting.
ghsa CVSS4.0
8.7
Vulnerability type
CWE-436
CWE-863
Incorrect Authorization
Published: 2 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026