Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
OpenClaw System Runs Can Be Hijacked Via Symlink Attack
GHSA-mwcg-wfq3-4gjc
Summary
OpenClaw's system.run feature on node hosts can be tricked into running arbitrary code if an attacker creates a malicious symlink. This can happen if an attacker can change the directory where the system.run command is executed. OpenClaw has fixed this issue in version 2026.2.25, which you should update to as soon as possible to prevent a potential security risk. If you're running a version earlier than 2026.2.24, update to 2026.2.25 to be safe.
What to do
- Update openclaw to version 2026.2.25.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.24 | 2026.2.25 |
Original title
OpenClaw's system.run approval TOCTOU via mutable symlink cwd target on node host
Original description
### Summary
In `[email protected]`, approval-bound `system.run` on node hosts could be influenced by mutable symlink `cwd` targets between approval and execution.
### Details
Approval matching on the gateway validated command/argv and binding fields, including `cwd`, as provided text. Node execution later used runtime `cwd` resolution. A symlinked `cwd` could therefore be retargeted after approval and before spawn.
OpenClaw's trust model does not treat one shared gateway as a multi-tenant adversarial boundary, but approval integrity is still a security boundary for operator-reviewed command execution.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected: `<= 2026.2.24`
- Patched: `>= 2026.2.25`
### Fix Commit(s)
- `f789f880c934caa8be25b38832f27f90f37903db`
### Remediation
The fix adds defense-in-depth hardening for approval-bound node execution:
- reject symlink `cwd` paths for approval-bound `system.run`
- canonicalize path-like executable argv before spawn
- bind CLI approval requests to exact `commandArgv`
### Release Process Note
Patched version is pre-set to the release (`2026.2.25`). Advisory published with npm release `2026.2.25`.
OpenClaw thanks @tdjackey for reporting.
In `[email protected]`, approval-bound `system.run` on node hosts could be influenced by mutable symlink `cwd` targets between approval and execution.
### Details
Approval matching on the gateway validated command/argv and binding fields, including `cwd`, as provided text. Node execution later used runtime `cwd` resolution. A symlinked `cwd` could therefore be retargeted after approval and before spawn.
OpenClaw's trust model does not treat one shared gateway as a multi-tenant adversarial boundary, but approval integrity is still a security boundary for operator-reviewed command execution.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected: `<= 2026.2.24`
- Patched: `>= 2026.2.25`
### Fix Commit(s)
- `f789f880c934caa8be25b38832f27f90f37903db`
### Remediation
The fix adds defense-in-depth hardening for approval-bound node execution:
- reject symlink `cwd` paths for approval-bound `system.run`
- canonicalize path-like executable argv before spawn
- bind CLI approval requests to exact `commandArgv`
### Release Process Note
Patched version is pre-set to the release (`2026.2.25`). Advisory published with npm release `2026.2.25`.
OpenClaw thanks @tdjackey for reporting.
ghsa CVSS4.0
8.7
Vulnerability type
CWE-59
Link Following
CWE-367
Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026