GHSA-8G75-Q649-6PV6

Vulnerability from github – Published: 2026-03-12 14:21 – Updated: 2026-04-06 22:37
VLAI?
Summary
OpenClaw's system.run approvals did not bind mutable script operands across approval and execution
Details

OpenClaw's system.run approval flow did not bind mutable interpreter-style script operands across approval and execution.

A caller could obtain approval for an execution such as sh ./script.sh, rewrite the approved script before execution, and then execute different content under the previously approved command shape. The approved argv values remained the same, but the mutable script operand content could drift after approval.

Latest published npm version verified vulnerable: 2026.3.7

The initial March 7, 2026 fix in c76d29208bf6a7f058d2cf582519d28069e42240 added approval binding for shell scripts and a narrow interpreter set, but follow-up maintainer review on March 8, 2026 found that bun and deno script operands still did not produce mutableFileOperand snapshots.

A complete fix shipped on March 9, 2026 in cf3a479bd1204f62eef7dd82b4aa328749ae6c91, which binds approved bun and deno run script operands to on-disk file snapshots and denies post-approval script drift before execution.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected versions: <= 2026.3.7
  • Patched version: 2026.3.8

Fix Commit(s)

  • c76d29208bf6a7f058d2cf582519d28069e42240
  • cf3a479bd1204f62eef7dd82b4aa328749ae6c91

Release Verification

  • npm 2026.3.7 remains vulnerable.
  • npm 2026.3.8 contains the completed fix.

Thanks @tdjackey for reporting.

Severity ?
6.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.3.7"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.3.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32921"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-367"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-12T14:21:28Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "OpenClaw\u0027s `system.run` approval flow did not bind mutable interpreter-style script operands across approval and execution.\n\nA caller could obtain approval for an execution such as `sh ./script.sh`, rewrite the approved script before execution, and then execute different content under the previously approved command shape. The approved `argv` values remained the same, but the mutable script operand content could drift after approval.\n\nLatest published npm version verified vulnerable: `2026.3.7`\n\nThe initial March 7, 2026 fix in `c76d29208bf6a7f058d2cf582519d28069e42240` added approval binding for shell scripts and a narrow interpreter set, but follow-up maintainer review on March 8, 2026 found that `bun` and `deno` script operands still did not produce `mutableFileOperand` snapshots.\n\nA complete fix shipped on March 9, 2026 in `cf3a479bd1204f62eef7dd82b4aa328749ae6c91`, which binds approved `bun` and `deno run` script operands to on-disk file snapshots and denies post-approval script drift before execution.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `\u003c= 2026.3.7`\n- Patched version: `2026.3.8`\n\n## Fix Commit(s)\n\n- `c76d29208bf6a7f058d2cf582519d28069e42240`\n- `cf3a479bd1204f62eef7dd82b4aa328749ae6c91`\n\n## Release Verification\n\n- npm `2026.3.7` remains vulnerable.\n- npm `2026.3.8` contains the completed fix.\n\nThanks @tdjackey for reporting.",
  "id": "GHSA-8g75-q649-6pv6",
  "modified": "2026-04-06T22:37:15Z",
  "published": "2026-03-12T14:21:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8g75-q649-6pv6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32921"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/c76d29208bf6a7f058d2cf582519d28069e42240"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/cf3a479bd1204f62eef7dd82b4aa328749ae6c91"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-script-content-modification-via-mutable-operand-binding-in-system-run"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenClaw\u0027s system.run approvals did not bind mutable script operands across approval and execution"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.