EUVD-2026-14593
GHSA-cp5x-5627-vxqx
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
OpenClaw before 2026.3.1 contains an approval bypass vulnerability in system.run where non-path-like argv[0] tokens fail to bind executable identity, allowing post-approval executable rebind. Attackers can modify PATH resolution after approval to execute a different binary than the operator approved.
Analysis
OpenClaw versions prior to 2026.3.1 contain an approval bypass vulnerability in the system.run function that allows attackers to execute a different binary than the one approved by an operator. The vulnerability stems from non-path-like argv[0] tokens failing to bind to executable identity, enabling post-approval PATH manipulation to redirect execution to attacker-controlled binaries. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all OpenClaw deployments and identify instances running versions prior to 2026.3.1; notify affected teams and restrict local access where possible. Within 7 days: Implement compensating controls including enhanced file integrity monitoring on execution paths, restrict PATH environment variable modifications through SELinux/AppArmor policies, and disable OpenClaw's system.run function if not operationally critical. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today