9 matches found
CVE-2026-32058
OpenClaw versions prior to 2026.2.26 contain an approval context-binding weakness in system.run execution flows with host=node that allows reuse of previously approved requests with modified environment variables. Attackers with access to an approval id can exploit this by reusing an approval wit...
CVE-2026-32065
OpenClaw versions prior to 2026.2.25 contain an approval-integrity bypass vulnerability in system.run where rendered command text is used as approval identity while trimming argv token whitespace, but runtime execution uses raw argv. An attacker can craft a trailing-space executable token to...
Duplicate Advisory: OpenClaw Node system.run approval context-binding weakness in approval-enabled host=node flows
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-hjvp-qhm6-wrh2. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.26 contain an approval context-binding weakness in system.run execution flows with...
GHSA-CJQ8-M7WJ-XMQ9 Duplicate Advisory: OpenClaw Node system.run approval context-binding weakness in approval-enabled host=node flows
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-hjvp-qhm6-wrh2. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.26 contain an approval context-binding weakness in system.run execution flows with...
CVE-2026-32058
OpenClaw versions prior to 2026.2.26 contain an approval context-binding weakness in system.run execution flows with host=node that allows reuse of previously approved requests with modified environment variables. Attackers with access to an approval id can exploit this by reusing an approval wit...
EUVD-2026-13962
OpenClaw versions prior to 2026.2.26 contain an approval context-binding weakness in system.run execution flows with host=node that allows reuse of previously approved requests with modified environment variables. Attackers with access to an approval id can exploit this by reusing an approval wit...
CVE-2026-32058
OpenClaw versions prior to 2026.2.26 contain an approval context-binding weakness in system.run execution flows with host=node that allows reuse of previously approved requests with modified environment variables. Attackers with access to an approval id can exploit this by reusing an approval wit...
Incorrect Authorization
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization via the system.run approvals. An attacker can cause execution of an unintended binary by crafting a command with a trailing-space in the executable token and...
PT-2026-26019
Summary For host=node executions, approval context could be bypassed after approval-time by rebinding a writable parent symlink in cwd while preserving the visible cwd string. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.2.26 planned next npm release Impact A command...