DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-GV46-4XFQ-JV58: GHSA-GV46-4XFQ-JV58: Remote Code Execution in OpenClaw via Approval Workflow Bypass

#security #cve #cybersecurity #ghsa

GHSA-GV46-4XFQ-JV58: Remote Code Execution in OpenClaw via Approval Workflow Bypass

Vulnerability ID: GHSA-GV46-4XFQ-JV58
CVSS Score: 8.8
Published: 2026-03-02

A critical remote code execution (RCE) vulnerability exists in OpenClaw versions prior to v2026.1.29. The vulnerability arises from a trust boundary violation between the OpenClaw Gateway and connected Node hosts. The Gateway fails to sanitize Remote Procedure Call (RPC) parameters before forwarding them to Nodes. This allows authenticated attackers (or attackers possessing a valid operator token) to inject internal control flags—specifically approved: true—into command payloads. These injected flags trick the Node into bypassing the mandatory user confirmation prompt for sensitive actions, resulting in the immediate execution of arbitrary shell commands on the target machine.

TL;DR

OpenClaw allows remote command execution without user approval due to improper parameter sanitization. Attackers can inject an "approved" flag into RPC requests, bypassing security prompts on developer machines. Fixed in v2026.1.29.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-501
  • Attack Vector: Network
  • CVSS Score: 8.8
  • Impact: Remote Code Execution
  • Exploit Status: PoC Available
  • Prerequisites: Authenticated Operator Token

Affected Systems

  • OpenClaw Gateway
  • OpenClaw Node Agent (macOS, Linux, Windows)
  • OpenClaw: < 2026.1.29 (Fixed in: 2026.1.29)

Code Analysis

Commit: 0af76f5

fix: sanitize node invoke params to prevent approval bypass

function sanitizeNodeInvokeParamsForForwarding(params: any) {
-  return params;
+  const safeParams = { ...params };
+  delete safeParams.approved;
+  delete safeParams.approvalDecision;
+  return safeParams;
}
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • DepthFirst: Technical analysis and proof of concept for the approval bypass

Mitigation Strategies

  • Input Validation
  • Principle of Least Privilege
  • Defense in Depth

Remediation Steps:

  1. Pull the latest OpenClaw Docker image or update the npm package to version v2026.1.29.
  2. Restart the OpenClaw Gateway service.
  3. Update all connected OpenClaw Node agents to ensure compatibility.
  4. Verify the fix by attempting to pass approved: true in a test environment; the prompt should now appear despite the flag.

References

Read the full report for GHSA-GV46-4XFQ-JV58 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)