DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-HJVP-QHM6-WRH2: OpenClaw Node system.run Approval Context Bypass

#security #cve #cybersecurity #ghsa

OpenClaw Node system.run Approval Context Bypass

Vulnerability ID: GHSA-HJVP-QHM6-WRH2
CVSS Score: 6.5
Published: 2026-03-02

A critical context-binding weakness in the OpenClaw AI assistant platform allows attackers to bypass human-in-the-loop approval controls. Specifically, the system.run workflow in the Node host environment fails to cryptographically bind user approvals to the exact execution context, including environment variables and command arguments. This flaw permits an attacker to hijack a legitimate approval ID and reuse it to execute arbitrary code by injecting malicious environment variables (e.g., GIT_EXTERNAL_DIFF) or modifying arguments, effectively nullifying the security guarantees of the approval system.

TL;DR

OpenClaw < 2026.2.26 allows execution approval bypass via loose context binding. Attackers can reuse approved command IDs with modified environment variables to achieve arbitrary code execution.

Technical Details

  • CWE ID: CWE-345
  • CVSS Score: 6.5
  • Attack Vector: Local / Adjacent
  • Vulnerability Type: Context Binding Weakness
  • Affected Component: system.run
  • Exploit Status: PoC Available (Internal)

Affected Systems

  • OpenClaw Node Agent (host=node configuration)
  • OpenClaw: < 2026.2.26 (Fixed in: 2026.2.26)

Code Analysis

Commit: 1048109

refactor(security): enforce v1 node exec approval binding

Diff shows removal of matchLegacySystemRunApprovalBinding and introduction of envHash checks.
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade OpenClaw to version 2026.2.26 or later immediately.
  • Restrict host=node capabilities if immediate patching is not possible.
  • Audit execution logs for unusual environment variables associated with standard commands (e.g., GIT_EXTERNAL_DIFF, LD_PRELOAD).

Remediation Steps:

  1. Locate the package.json file in your OpenClaw deployment.
  2. Update the openclaw dependency version: npm install openclaw@2026.2.26.
  3. Restart the OpenClaw Node agent service to apply the changes.
  4. Verify the update by checking the version output of the running agent.

References

Read the full report for GHSA-HJVP-QHM6-WRH2 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)