GHSA-WWRJ-437C-PPQ4 Duplicate Advisory: OpenClaw's system.run approvals did not bind mutable script operands across approval and execution

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-8g75-q649-6pv6. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.8 contains an approval bypass vulnerability in system.run where mutable script operands are no...

PT-2026-29229

OpenClaw before 2026.3.8 contains an approval bypass vulnerability in system.run where mutable script operands are not bound across approval and execution phases. Attackers can obtain approval for script execution, modify the approved script file before execution, and execute different content...

GHSA-8G75-Q649-6PV6 OpenClaw's system.run approvals did not bind mutable script operands across approval and execution

OpenClaw's system.run approval flow did not bind mutable interpreter-style script operands across approval and execution. A caller could obtain approval for an execution such as sh ./script.sh, rewrite the approved script before execution, and then execute different content under the previously...