OpenClaw Node system.run approval context-binding weakness in approval-enabled host=node flows

Summary

In approval-enabled host=node workflows, system.run approvals did not always carry a strict, versioned execution-context binding. In uncommon setups that rely on these approvals as an integrity guardrail, a previously approved request could be reused with changed env input.

Affected Packages / Versions

• Package: npm openclaw
• Latest published npm version at triage: 2026.2.25
• Affected range: <= 2026.2.25
• Planned fixed version (next npm release): 2026.2.26

Preconditions / Typical Exposure

This requires all of the following:

• system.run usage through host=node
• Exec approvals enabled and used as an execution-integrity control
• Access to an approval id in the same context

Most default single-operator local setups do not rely on this path, so practical exposure is typically lower.

Details

Approval matching now uses a required versioned binding (systemRunBindingV1) over command argv, cwd, agent/session context, and env hash.

The fix:

• Requires commandArgv when requesting host=node approvals.
• Requires systemRunBindingV1 when consuming approvals for node system.run.
• Removes legacy non-versioned fallback matching and fails closed on missing/mismatched bindings.
• Keeps env mismatch handling explicit and blocks GIT_EXTERNAL_DIFF in host env policy.
• Adds/updates regression and contract coverage for mismatch mapping and binding rules.

Impact

Configuration-dependent approval-integrity weakness in node-host exec approval flows. Severity remains medium because exploitation depends on this specific approval mode and context.

Fix Commit(s)

• 10481097f8e6dd0346db9be0b5f27570e1bdfcfa

Release Process Note

patched_versions is pre-set to the planned next release (2026.2.26) so once npm release 2026.2.26 is published, the advisory can be published without further metadata edits.

OpenClaw thanks @tdjackey for reporting.