Severity by source
AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
OpenClaw versions prior to 2026.2.25 contain a time-of-check-time-of-use vulnerability in approval-bound system.run execution where the cwd parameter is validated at approval time but resolved at execution time. Attackers can retarget a symlinked cwd between approval and execution to bypass command execution restrictions and execute arbitrary commands on node hosts.
AnalysisAI
OpenClaw versions prior to 2026.2.25 contain a time-of-check-time-of-use (TOCTOU) vulnerability in the approval-bound system.run execution function where the current working directory (cwd) parameter is validated at approval time but resolved at execution time, allowing attackers with local access and limited privileges to retarget symlinked directories between approval and execution to bypass command execution restrictions and execute arbitrary commands on node hosts. The vulnerability has a CVSS score of 6.5 with medium attack complexity but high integrity and availability impact, making it a notable local privilege escalation vector that requires user interaction in the approval workflow.
Technical ContextAI
The vulnerability resides in OpenClaw's approval-bound system.run execution mechanism, which is designed to enforce command execution policies by validating requested parameters before execution (CWE-367: Improper Handling of Exceptional Conditions). The cwd parameter undergoes validation at approval time to ensure it points to an authorized directory; however, the actual path resolution occurs at execution time. An attacker with local file system access can exploit this window by creating a symlink that initially points to an approved directory, obtaining approval, then modifying the symlink to point to an unauthorized directory before execution occurs. The CPE identifier cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:* indicates all versions of OpenClaw prior to 2026.2.25 are affected by this race condition in path validation.
RemediationAI
Upgrade OpenClaw to version 2026.2.25 or later immediately, as a vendor patch is available and confirmed via the commit at https://github.com/openclaw/openclaw/commit/f789f880c934caa8be25b38832f27f90f37903db. Until patching can be completed, implement the following compensating controls: restrict local filesystem access to the OpenClaw process and approval workflow to trusted users only, enforce strict SELinux or AppArmor policies to prevent symlink traversal attacks, implement filesystem monitoring to detect suspicious symlink creation and modification patterns during approval workflows, and consider running OpenClaw in a sandboxed or containerized environment with restricted filesystem capabilities. Verify the patched version is deployed and validate that the cwd parameter validation now occurs at execution time rather than approval time.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13935
GHSA-3p2x-hjxj-c7rv