Duplicate Advisory: OpenClaw Node system.run approval context-binding weakness in approval-enabled host=node flows

GHSA-cjq8-m7wj-xmq9

Published Mar 21, 2026 · Modified Mar 24, 2026

Description

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-hjvp-qhm6-wrh2. This link is maintained to preserve external references.

Original Description

OpenClaw versions prior to 2026.2.26 contain an approval context-binding weakness in system.run execution flows with host=node that allows reuse of previously approved requests with modified environment variables. Attackers with access to an approval id can exploit this by reusing an approval with changed env input, bypassing execution-integrity controls in approval-enabled workflows.

References

WEB https://github.com/openclaw/openclaw/security/advisories/GHSA-hjvp-qhm6-wrh2
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-32058
WEB https://github.com/openclaw/openclaw/commit/10481097f8e6dd0346db9be0b5f27570e1bdfcfa
WEB https://www.vulncheck.com/advisories/openclaw-approval-context-binding-weakness-in-system-run-via-host-node

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes