Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
OpenClaw: Bypassing Node Executions' Approval Checks
GHSA-f7ww-2725-qvw2
Summary
OpenClaw's node execution system has a vulnerability that could let a user bypass approval checks. This means that even if a task was approved for a specific location, it could still be executed from a different location if a file path is changed. To fix this, the OpenClaw team has updated their system to prevent this kind of bypass and to ensure that approval checks are always enforced. You should update OpenClaw to version 2026.2.26 or later to protect your system.
What to do
- Update openclaw to version 2026.2.26.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.25 | 2026.2.26 |
Original title
OpenClaw: Node system.run approval bypass via parent-symlink cwd rebind
Original description
## Summary
For `host=node` executions, approval context could be bypassed after approval-time by rebinding a writable parent symlink in `cwd` while preserving the visible `cwd` string.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected: `<= 2026.2.25`
- Fixed: `>= 2026.2.26` (planned next npm release)
## Impact
A command approved for one filesystem location could execute from a different location if a mutable parent symlink changed between approval and execution.
## Fix
- Added immutable approval-time plan preparation (`system.run.prepare`) and `systemRunPlanV2` canonical fields (`argv`, `cwd`, `agentId`, `sessionKey`).
- Enforced canonical plan values through approval request storage and forwarding-time sanitization.
- Rejected mutable parent-symlink path components during approval-plan building to block symlink rebind bypass.
- Follow-up refactors centralized command catalogs and approval context/error handling to reduce future drift.
## Fix Commit(s)
- `78a7ff2d50fb3bcef351571cb5a0f21430a340c1`
- `d82c042b09727a6148f3ca651b254c4a677aff26`
- `d06632ba45a8482192792c55d5ff0b2e21abb0a7`
- `4e690e09c746408b5e27617a20cb3fdc5190dbda`
- `4b4718c8dfce2e2c48404aa5088af7c013bed60b`
## Release Process Note
`patched_versions` is pre-set to the planned next release (`2026.2.26`). Once npm `[email protected]` is published, publish this advisory directly without further version-field edits.
OpenClaw thanks @tdjackey for reporting.
For `host=node` executions, approval context could be bypassed after approval-time by rebinding a writable parent symlink in `cwd` while preserving the visible `cwd` string.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected: `<= 2026.2.25`
- Fixed: `>= 2026.2.26` (planned next npm release)
## Impact
A command approved for one filesystem location could execute from a different location if a mutable parent symlink changed between approval and execution.
## Fix
- Added immutable approval-time plan preparation (`system.run.prepare`) and `systemRunPlanV2` canonical fields (`argv`, `cwd`, `agentId`, `sessionKey`).
- Enforced canonical plan values through approval request storage and forwarding-time sanitization.
- Rejected mutable parent-symlink path components during approval-plan building to block symlink rebind bypass.
- Follow-up refactors centralized command catalogs and approval context/error handling to reduce future drift.
## Fix Commit(s)
- `78a7ff2d50fb3bcef351571cb5a0f21430a340c1`
- `d82c042b09727a6148f3ca651b254c4a677aff26`
- `d06632ba45a8482192792c55d5ff0b2e21abb0a7`
- `4e690e09c746408b5e27617a20cb3fdc5190dbda`
- `4b4718c8dfce2e2c48404aa5088af7c013bed60b`
## Release Process Note
`patched_versions` is pre-set to the planned next release (`2026.2.26`). Once npm `[email protected]` is published, publish this advisory directly without further version-field edits.
OpenClaw thanks @tdjackey for reporting.
ghsa CVSS4.0
8.7
Vulnerability type
CWE-59
Link Following
CWE-367
- https://github.com/openclaw/openclaw/security/advisories/GHSA-f7ww-2725-qvw2
- https://github.com/openclaw/openclaw/commit/4b4718c8dfce2e2c48404aa5088af7c013be...
- https://github.com/openclaw/openclaw/commit/4e690e09c746408b5e27617a20cb3fdc5190...
- https://github.com/openclaw/openclaw/commit/78a7ff2d50fb3bcef351571cb5a0f21430a3...
- https://github.com/openclaw/openclaw/commit/d06632ba45a8482192792c55d5ff0b2e21ab...
- https://github.com/openclaw/openclaw/commit/d82c042b09727a6148f3ca651b254c4a677a...
- https://github.com/advisories/GHSA-f7ww-2725-qvw2
Published: 2 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026