DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-HWPQ-RRPF-PGCQ: GHSA-HWPQ-RRPF-PGCQ: Execution Approval Bypass in OpenClaw system.run

#security #cve #cybersecurity #ghsa

GHSA-HWPQ-RRPF-PGCQ: Execution Approval Bypass in OpenClaw system.run

Vulnerability ID: GHSA-HWPQ-RRPF-PGCQ
CVSS Score: 7.2
Published: 2026-03-02

A critical vulnerability in the OpenClaw AI assistant allows attackers to bypass execution approval mechanisms. Due to a discrepancy between how commands are displayed to the user and how they are executed by the system, an attacker can trick a user into approving a malicious binary execution under the guise of a benign command. This issue affects the system.run tool and allows for arbitrary code execution if the attacker can influence the AI agent's tool calls.

TL;DR

OpenClaw versions before 2026.2.25 contain a UI spoofing vulnerability in the system.run approval flow. Attackers can execute binaries with trailing whitespace in their names while displaying a clean, benign command to the user for approval.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-290
  • Attack Vector: Network (Agent Instruction)
  • CVSS: 7.2 (High)
  • Impact: Arbitrary Code Execution
  • Exploit Status: PoC Available
  • Vendor: OpenClaw

Affected Systems

  • OpenClaw AI Assistant (npm package)
  • openclaw: < 2026.2.25 (Fixed in: 2026.2.25)

Code Analysis

Commit: 03e689f

fix(gateway): strict argv identity binding for system.run approval

@@ -45,7 +45,15 @@
-    if (commandString === approvedString) {
+    if (requestedArgv) {
+      if (requestedArgv.length !== argv.length) return false;
+      for (let i = 0; i < requestedArgv.length; i++) {
+        if (requestedArgv[i] !== argv[i]) return false;
+      }
+    }
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Upgrade OpenClaw immediately to version 2026.2.25 or later.
  • Audit existing system.run logs for command executions involving tokens with trailing or unusual whitespace.
  • Restrict the AI agent's write access to directories in the system PATH to prevent the staging of spoofed binaries.

Remediation Steps:

  1. Stop the running OpenClaw instance.
  2. Run npm install -g openclaw@latest to fetch the patched version.
  3. Verify the installation by running openclaw --version and ensuring it reports 2026.2.25 or higher.
  4. Restart the agent.

References

Read the full report for GHSA-HWPQ-RRPF-PGCQ on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)