Vulnerability-Lookup

CVE-2026-29608 (GCVE-0-2026-29608)

Vulnerability from cvelistv5 – Published: 2026-03-19 01:00 – Updated: 2026-03-19 16:09 X_Open Source

Title

OpenClaw 2026.3.1 < 2026.3.2 - Approval Integrity Bypass via system.run argv Rewriting

Summary

OpenClaw 2026.3.1 contains an approval integrity vulnerability in system.run node-host execution where argv rewriting changes command semantics. Attackers can place malicious local scripts in the working directory to execute unintended code despite operator approval of different command text.

Severity

5.4 (Medium)


                        
                          CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

6.7 (Medium)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-88 - Argument Injection or Modification

Assigner

VulnCheck

References

3 references

URL	Tags
https://github.com/openclaw/openclaw/security/adv…	third-party-advisory
https://github.com/openclaw/openclaw/commit/dded5…	patch
https://www.vulncheck.com/advisories/openclaw-app…	third-party-advisory

Impacted products

1 product

Vendor	Product	Version
OpenClaw	OpenClaw	Affected: 2026.3.1 , < 2026.3.2 (semver)

Date Public

2026-03-03 00:00

Credits

tdjackey

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-29608",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-19T16:09:30.455784Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-19T16:09:41.951Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "packageURL": "pkg:npm/openclaw",
          "product": "OpenClaw",
          "vendor": "OpenClaw",
          "versions": [
            {
              "lessThan": "2026.3.2",
              "status": "affected",
              "version": "2026.3.1",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
                  "versionEndExcluding": "2026.3.2",
                  "versionStartIncluding": "2026.3.1",
                  "vulnerable": true
                }
              ],
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "tdjackey"
        }
      ],
      "datePublic": "2026-03-03T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "OpenClaw 2026.3.1 contains an approval integrity vulnerability in system.run node-host execution where argv rewriting changes command semantics. Attackers can place malicious local scripts in the working directory to execute unintended code despite operator approval of different command text."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "ACTIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 6.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-88",
              "description": "CWE-88 Argument Injection or Modification",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-19T01:00:48.321Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "name": "GitHub Security Advisory (GHSA-h3rm-6x7g-882f)",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h3rm-6x7g-882f"
        },
        {
          "name": "Patch Commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openclaw/openclaw/commit/dded569626b0d8e7bdab10b5e7528b6caf73a0f1"
        },
        {
          "name": "VulnCheck Advisory: OpenClaw 2026.3.1 \u003c 2026.3.2 - Approval Integrity Bypass via system.run argv Rewriting",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/openclaw-approval-integrity-bypass-via-system-run-argv-rewriting"
        }
      ],
      "tags": [
        "x_open-source"
      ],
      "title": "OpenClaw 2026.3.1 \u003c 2026.3.2 - Approval Integrity Bypass via system.run argv Rewriting",
      "x_generator": {
        "engine": "vulncheck"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2026-29608",
    "datePublished": "2026-03-19T01:00:48.321Z",
    "dateReserved": "2026-03-04T16:16:15.967Z",
    "dateUpdated": "2026-03-19T16:09:41.951Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-29608",
      "date": "2026-06-04",
      "epss": "0.00025",
      "percentile": "0.0747"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-29608\",\"sourceIdentifier\":\"disclosure@vulncheck.com\",\"published\":\"2026-03-19T02:16:03.223\",\"lastModified\":\"2026-03-19T19:15:57.043\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"OpenClaw 2026.3.1 contains an approval integrity vulnerability in system.run node-host execution where argv rewriting changes command semantics. Attackers can place malicious local scripts in the working directory to execute unintended code despite operator approval of different command text.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"disclosure@vulncheck.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"ACTIVE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"disclosure@vulncheck.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":6.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":0.8,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":6.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":0.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"disclosure@vulncheck.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-88\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openclaw:openclaw:2026.3.1:*:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"378E843A-BF9B-4958-BF88-7C875638FC64\"}]}]}],\"references\":[{\"url\":\"https://github.com/openclaw/openclaw/commit/dded569626b0d8e7bdab10b5e7528b6caf73a0f1\",\"source\":\"disclosure@vulncheck.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/openclaw/openclaw/security/advisories/GHSA-h3rm-6x7g-882f\",\"source\":\"disclosure@vulncheck.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.vulncheck.com/advisories/openclaw-approval-integrity-bypass-via-system-run-argv-rewriting\",\"source\":\"disclosure@vulncheck.com\",\"tags\":[\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-29608\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-19T16:09:30.455784Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-19T16:09:38.040Z\"}}], \"cna\": {\"tags\": [\"x_open-source\"], \"title\": \"OpenClaw 2026.3.1 \u003c 2026.3.2 - Approval Integrity Bypass via system.run argv Rewriting\", \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"tdjackey\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 5.4, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"ACTIVE\", \"attackComplexity\": \"HIGH\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.7, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"OpenClaw\", \"product\": \"OpenClaw\", \"versions\": [{\"status\": \"affected\", \"version\": \"2026.3.1\", \"lessThan\": \"2026.3.2\", \"versionType\": \"semver\"}], \"packageURL\": \"pkg:npm/openclaw\", \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2026-03-03T00:00:00.000Z\", \"references\": [{\"url\": \"https://github.com/openclaw/openclaw/security/advisories/GHSA-h3rm-6x7g-882f\", \"name\": \"GitHub Security Advisory (GHSA-h3rm-6x7g-882f)\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://github.com/openclaw/openclaw/commit/dded569626b0d8e7bdab10b5e7528b6caf73a0f1\", \"name\": \"Patch Commit\", \"tags\": [\"patch\"]}, {\"url\": \"https://www.vulncheck.com/advisories/openclaw-approval-integrity-bypass-via-system-run-argv-rewriting\", \"name\": \"VulnCheck Advisory: OpenClaw 2026.3.1 \u003c 2026.3.2 - Approval Integrity Bypass via system.run argv Rewriting\", \"tags\": [\"third-party-advisory\"]}], \"x_generator\": {\"engine\": \"vulncheck\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"OpenClaw 2026.3.1 contains an approval integrity vulnerability in system.run node-host execution where argv rewriting changes command semantics. Attackers can place malicious local scripts in the working directory to execute unintended code despite operator approval of different command text.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-88\", \"description\": \"CWE-88 Argument Injection or Modification\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"2026.3.2\", \"versionStartIncluding\": \"2026.3.1\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"83251b91-4cc7-4094-a5c7-464a1b83ea10\", \"shortName\": \"VulnCheck\", \"dateUpdated\": \"2026-03-19T01:00:48.321Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-29608\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-19T16:09:41.951Z\", \"dateReserved\": \"2026-03-04T16:16:15.967Z\", \"assignerOrgId\": \"83251b91-4cc7-4094-a5c7-464a1b83ea10\", \"datePublished\": \"2026-03-19T01:00:48.321Z\", \"assignerShortName\": \"VulnCheck\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-29608

Vulnerability from fkie_nvd - Published: 2026-03-19 02:16 - Updated: 2026-03-19 19:15

Severity

6.7 (Medium) - CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
6.7 (Medium) - CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
disclosure@vulncheck.com	https://github.com/openclaw/openclaw/commit/dded569626b0d8e7bdab10b5e7528b6caf73a0f1	Patch
disclosure@vulncheck.com	https://github.com/openclaw/openclaw/security/advisories/GHSA-h3rm-6x7g-882f	Vendor Advisory
disclosure@vulncheck.com	https://www.vulncheck.com/advisories/openclaw-approval-integrity-bypass-via-system-run-argv-rewriting	Third Party Advisory

Impacted products

	Vendor	Product	Version
	openclaw	openclaw	2026.3.1

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:openclaw:openclaw:2026.3.1:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "378E843A-BF9B-4958-BF88-7C875638FC64",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "OpenClaw 2026.3.1 contains an approval integrity vulnerability in system.run node-host execution where argv rewriting changes command semantics. Attackers can place malicious local scripts in the working directory to execute unintended code despite operator approval of different command text."
    },
    {
      "lang": "es",
      "value": "OpenClaw 2026.3.1 contiene una vulnerabilidad de integridad de aprobaci\u00f3n en la ejecuci\u00f3n de node-host de system.run donde la reescritura de argv cambia la sem\u00e1ntica del comando. Los atacantes pueden colocar scripts locales maliciosos en el directorio de trabajo para ejecutar c\u00f3digo no deseado a pesar de la aprobaci\u00f3n del operador de un texto de comando diferente."
    }
  ],
  "id": "CVE-2026-29608",
  "lastModified": "2026-03-19T19:15:57.043",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 6.7,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 0.8,
        "impactScore": 5.9,
        "source": "disclosure@vulncheck.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 6.7,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 0.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "HIGH",
          "attackRequirements": "NONE",
          "attackVector": "LOCAL",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "ACTIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "disclosure@vulncheck.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-19T02:16:03.223",
  "references": [
    {
      "source": "disclosure@vulncheck.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/openclaw/openclaw/commit/dded569626b0d8e7bdab10b5e7528b6caf73a0f1"
    },
    {
      "source": "disclosure@vulncheck.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h3rm-6x7g-882f"
    },
    {
      "source": "disclosure@vulncheck.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.vulncheck.com/advisories/openclaw-approval-integrity-bypass-via-system-run-argv-rewriting"
    }
  ],
  "sourceIdentifier": "disclosure@vulncheck.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-88"
        }
      ],
      "source": "disclosure@vulncheck.com",
      "type": "Primary"
    }
  ]
}

GHSA-G87J-GM7P-6VW2

Vulnerability from github – Published: 2026-03-19 03:30 – Updated: 2026-03-19 16:26

Summary

Duplicate Advisory: OpenClaw's Node system.run approval hardening wrapper semantic drift can execute unintended local scripts

Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-h3rm-6x7g-882f. This link is maintained to preserve external references.

Original Description

Severity

6.7 (Medium)


                  
                    CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

5.4 (Medium)


                  
                    CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "versions": [
        "2026.3.1"
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-88"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-19T16:26:05Z",
    "nvd_published_at": "2026-03-19T02:16:03Z",
    "severity": "MODERATE"
  },
  "details": "## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of GHSA-h3rm-6x7g-882f. This link is maintained to preserve external references.\n\n## Original Description\nOpenClaw 2026.3.1 contains an approval integrity vulnerability in system.run node-host execution where argv rewriting changes command semantics. Attackers can place malicious local scripts in the working directory to execute unintended code despite operator approval of different command text.",
  "id": "GHSA-g87j-gm7p-6vw2",
  "modified": "2026-03-19T16:26:05Z",
  "published": "2026-03-19T03:30:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h3rm-6x7g-882f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29608"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/dded569626b0d8e7bdab10b5e7528b6caf73a0f1"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-approval-integrity-bypass-via-system-run-argv-rewriting"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Duplicate Advisory: OpenClaw\u0027s Node system.run approval hardening wrapper semantic drift can execute unintended local scripts",
  "withdrawn": "2026-03-19T16:26:05Z"
}

GHSA-H3RM-6X7G-882F

Vulnerability from github – Published: 2026-03-03 21:19 – Updated: 2026-03-19 21:22

Summary

OpenClaw's Node system.run approval hardening wrapper semantic drift can execute unintended local scripts

Details

Summary

In openclaw@2026.3.1, node system.run approval-path hardening rewrote wrapper command argv in a way that changed execution semantics. A command shown/approved as a shell payload (for example echo SAFE) could execute a different local script when wrapper argv were rewritten.

Affected Packages / Versions

Package: openclaw (npm)
Affected: 2026.3.1 (latest published npm version as of March 2, 2026)
Fixed release: 2026.3.2 (released)

Technical Details

Root cause was in node-host approval hardening for system.run: - src/node-host/invoke-system-run-plan.ts rewrote argv[0] to the resolved executable. - Wrapper resolution unwrapped dispatch wrappers, so input like ['env','sh','-c','echo SAFE'] resolved executable sh. - The approved plan could become ['/bin/sh','sh','-c','echo SAFE'] while approval text remained echo SAFE.

That rewrite changed runtime behavior: /bin/sh interprets the extra sh positional argument as a script path, enabling execution of a local ./sh file from approved cwd instead of the approved payload text.

Impact

Approval-integrity break in host=node execution flow: operator-visible command text and executed behavior could diverge.

Exploit preconditions: - attacker can influence wrapper argv and place a local file in approved working directory, - operator grants approval for the displayed command.

Fix Commit(s)

dded569626b0d8e7bdab10b5e7528b6caf73a0f1

Fixed Version

Patched in openclaw@2026.3.2.

Severity

6.7 (Medium)


                  
                    CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2026.3.1"
            },
            {
              "fixed": "2026.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2026.3.1"
      ]
    }
  ],
  "aliases": [
    "CVE-2026-29608"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-88"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-03T21:19:08Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nIn `openclaw@2026.3.1`, node `system.run` approval-path hardening rewrote wrapper command argv in a way that changed execution semantics. A command shown/approved as a shell payload (for example `echo SAFE`) could execute a different local script when wrapper argv were rewritten.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: `2026.3.1` (latest published npm version as of March 2, 2026)\n- Fixed release: `2026.3.2` (released)\n\n### Technical Details\nRoot cause was in node-host approval hardening for `system.run`:\n- `src/node-host/invoke-system-run-plan.ts` rewrote `argv[0]` to the resolved executable.\n- Wrapper resolution unwrapped dispatch wrappers, so input like `[\u0027env\u0027,\u0027sh\u0027,\u0027-c\u0027,\u0027echo SAFE\u0027]` resolved executable `sh`.\n- The approved plan could become `[\u0027/bin/sh\u0027,\u0027sh\u0027,\u0027-c\u0027,\u0027echo SAFE\u0027]` while approval text remained `echo SAFE`.\n\nThat rewrite changed runtime behavior: `/bin/sh` interprets the extra `sh` positional argument as a script path, enabling execution of a local `./sh` file from approved `cwd` instead of the approved payload text.\n\n### Impact\nApproval-integrity break in `host=node` execution flow: operator-visible command text and executed behavior could diverge.\n\nExploit preconditions:\n- attacker can influence wrapper argv and place a local file in approved working directory,\n- operator grants approval for the displayed command.\n\n### Fix Commit(s)\n- `dded569626b0d8e7bdab10b5e7528b6caf73a0f1`\n\n### Fixed Version\n- Patched in `openclaw@2026.3.2`.",
  "id": "GHSA-h3rm-6x7g-882f",
  "modified": "2026-03-19T21:22:05Z",
  "published": "2026-03-03T21:19:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h3rm-6x7g-882f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29608"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/dded569626b0d8e7bdab10b5e7528b6caf73a0f1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-approval-integrity-bypass-via-system-run-argv-rewriting"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenClaw\u0027s Node system.run approval hardening wrapper semantic drift can execute unintended local scripts"
}

WID-SEC-W-2026-0573

Vulnerability from csaf_certbund - Published: 2026-03-02 23:00 - Updated: 2026-03-18 23:00

Summary

OpenClaw: Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: OpenClaw ist ein persönlicher KI-Assistent zur Ausführung auf eigenen Geräten.

Angriff: Ein Angreifer kann mehrere Schwachstellen in OpenClaw ausnutzen, um beliebigen Code auszuführen, Daten zu manipulieren, einen Denial-of-Service-Zustand zu verursachen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen oder andere nicht näher spezifizierte Angriffe durchzuführen.

Betroffene Betriebssysteme: - Sonstiges - UNIX

CVE-2026-22180

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Open Source OpenClaw <2026.3.2 Open Source / OpenClaw		<2026.3.2

CVE-2026-22181

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Open Source OpenClaw <2026.3.2 Open Source / OpenClaw		<2026.3.2

CVE-2026-27670

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Open Source OpenClaw <2026.3.2 Open Source / OpenClaw		<2026.3.2

CVE-2026-29608

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Open Source OpenClaw <2026.3.2 Open Source / OpenClaw		<2026.3.2

CVE-2026-31990

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Open Source OpenClaw <2026.3.2 Open Source / OpenClaw		<2026.3.2

References

13 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://github.com/openclaw/openclaw/security/adv…	external
https://github.com/openclaw/openclaw/security/adv…	external
https://github.com/openclaw/openclaw/security/adv…	external
https://github.com/openclaw/openclaw/security/adv…	external
https://github.com/openclaw/openclaw/security/adv…	external
https://github.com/openclaw/openclaw/security/adv…	external
https://github.com/openclaw/openclaw/security/adv…	external
https://github.com/openclaw/openclaw/security/adv…	external
https://github.com/openclaw/openclaw/security/adv…	external
https://github.com/openclaw/openclaw/security/adv…	external
https://github.com/openclaw/openclaw/security/adv…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "OpenClaw ist ein pers\u00f6nlicher KI-Assistent zur Ausf\u00fchrung auf eigenen Ger\u00e4ten.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in OpenClaw ausnutzen, um beliebigen Code auszuf\u00fchren, Daten zu manipulieren, einen Denial-of-Service-Zustand zu verursachen, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen oder andere nicht n\u00e4her spezifizierte Angriffe durchzuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges\n- UNIX",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-0573 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0573.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-0573 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0573"
      },
      {
        "category": "external",
        "summary": "OpenClaw GitHub vom 2026-03-02",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2858-xg23-26fp"
      },
      {
        "category": "external",
        "summary": "OpenClaw GitHub vom 2026-03-02",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3pxq-f3cp-jmxp"
      },
      {
        "category": "external",
        "summary": "OpenClaw GitHub vom 2026-03-02",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-474h-prjg-mmw3"
      },
      {
        "category": "external",
        "summary": "OpenClaw GitHub vom 2026-03-02",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-77hf-7fqf-f227"
      },
      {
        "category": "external",
        "summary": "OpenClaw GitHub vom 2026-03-02",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8mvx-p2r9-r375"
      },
      {
        "category": "external",
        "summary": "OpenClaw GitHub vom 2026-03-02",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cfvj-7rx7-fc7c"
      },
      {
        "category": "external",
        "summary": "OpenClaw GitHub vom 2026-03-02",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h3rm-6x7g-882f"
      },
      {
        "category": "external",
        "summary": "OpenClaw GitHub vom 2026-03-02",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-r54r-wmmq-mh84"
      },
      {
        "category": "external",
        "summary": "OpenClaw GitHub vom 2026-03-02",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-v865-p3gq-hw6m"
      },
      {
        "category": "external",
        "summary": "OpenClaw GitHub vom 2026-03-02",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-wpg9-4g4v-f9rc"
      },
      {
        "category": "external",
        "summary": "OpenClaw GitHub vom 2026-03-02",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-x4vp-4235-65hg"
      }
    ],
    "source_lang": "en-US",
    "title": "OpenClaw: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-03-18T23:00:00.000+00:00",
      "generator": {
        "date": "2026-03-19T06:08:01.722+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.5.0"
        }
      },
      "id": "WID-SEC-W-2026-0573",
      "initial_release_date": "2026-03-02T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-03-02T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-03-17T23:00:00.000+00:00",
          "number": "2",
          "summary": "CVE\u0027s erg\u00e4nzt"
        },
        {
          "date": "2026-03-18T23:00:00.000+00:00",
          "number": "3",
          "summary": "CVE-2026-27670, CVE-2026-29608, CVE-2026-31990 erg\u00e4nzt"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c2026.3.2",
                "product": {
                  "name": "Open Source OpenClaw \u003c2026.3.2",
                  "product_id": "T051348"
                }
              },
              {
                "category": "product_version",
                "name": "2026.3.2",
                "product": {
                  "name": "Open Source OpenClaw 2026.3.2",
                  "product_id": "T051348-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:openclaw:openclaw:2026.3.2"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "OpenClaw"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-22180",
      "product_status": {
        "known_affected": [
          "T051348"
        ]
      },
      "release_date": "2026-03-02T23:00:00.000+00:00",
      "title": "CVE-2026-22180"
    },
    {
      "cve": "CVE-2026-22181",
      "product_status": {
        "known_affected": [
          "T051348"
        ]
      },
      "release_date": "2026-03-02T23:00:00.000+00:00",
      "title": "CVE-2026-22181"
    },
    {
      "cve": "CVE-2026-27670",
      "product_status": {
        "known_affected": [
          "T051348"
        ]
      },
      "release_date": "2026-03-02T23:00:00.000+00:00",
      "title": "CVE-2026-27670"
    },
    {
      "cve": "CVE-2026-29608",
      "product_status": {
        "known_affected": [
          "T051348"
        ]
      },
      "release_date": "2026-03-02T23:00:00.000+00:00",
      "title": "CVE-2026-29608"
    },
    {
      "cve": "CVE-2026-31990",
      "product_status": {
        "known_affected": [
          "T051348"
        ]
      },
      "release_date": "2026-03-02T23:00:00.000+00:00",
      "title": "CVE-2026-31990"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-29608 (GCVE-0-2026-29608)

FKIE_CVE-2026-29608

GHSA-G87J-GM7P-6VW2

Duplicate Advisory

Original Description

GHSA-H3RM-6X7G-882F

Summary

Affected Packages / Versions

Technical Details

Impact

Fix Commit(s)

Fixed Version

WID-SEC-W-2026-0573

Tags

Sightings

Nomenclature