Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.9
OpenClaw: Node approvals can be used on the wrong node
GHSA-6x2m-hqfw-hvpj
Summary
A bug in OpenClaw allows an operator to approve a task on one node and then use that approval on a different node. This could let an unauthorized task run on the second node. To fix this, update OpenClaw to version 2026.2.23 or later.
What to do
- Update openclaw to version 2026.2.23.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.23 | 2026.2.23 |
Original title
OpenClaw: Node exec approvals could be replayed across nodes
Original description
## Summary
`exec.approval` requests for `host=node` were not explicitly bound to the target `nodeId`, so an approval intended for one node could be replayed for a different node under the same operator-controlled gateway fleet.
## Impact
An operator approval for a `system.run` request could be reused across nodes if the request payload did not carry node identity through approval and execution checks.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected: `<= 2026.2.22-2`
- Fixed: `2026.2.23` (released)
## Mitigation
Upgrade to `2026.2.23` or later once published.
## Fix Details
The fix requires and persists `nodeId` for `host=node` approval requests and rejects execution when the approving node binding does not match the invoking node.
## Fix Commit(s)
- 4a3f8438e527ac371a67fe7ac68a287f0dbe6063
## Release Process Note
`patched_versions` is pre-set to the released version (`2026.2.23`). This advisory now reflects released fix version `2026.2.23`.
OpenClaw thanks @tdjackey for reporting.
`exec.approval` requests for `host=node` were not explicitly bound to the target `nodeId`, so an approval intended for one node could be replayed for a different node under the same operator-controlled gateway fleet.
## Impact
An operator approval for a `system.run` request could be reused across nodes if the request payload did not carry node identity through approval and execution checks.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected: `<= 2026.2.22-2`
- Fixed: `2026.2.23` (released)
## Mitigation
Upgrade to `2026.2.23` or later once published.
## Fix Details
The fix requires and persists `nodeId` for `host=node` approval requests and rejects execution when the approving node binding does not match the invoking node.
## Fix Commit(s)
- 4a3f8438e527ac371a67fe7ac68a287f0dbe6063
## Release Process Note
`patched_versions` is pre-set to the released version (`2026.2.23`). This advisory now reflects released fix version `2026.2.23`.
OpenClaw thanks @tdjackey for reporting.
ghsa CVSS4.0
6.9
Vulnerability type
CWE-285
Improper Authorization
CWE-863
Incorrect Authorization
Published: 2 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026