Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Blast Radius
ecosystem impact- 1 npm packages depend on openclaw (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 2026.3.8.
DescriptionCVE.org
OpenClaw before 2026.3.8 contains an approval bypass vulnerability in system.run where mutable script operands are not bound across approval and execution phases. Attackers can obtain approval for script execution, modify the approved script file before execution, and execute different content while maintaining the same approved command shape.
AnalysisAI
OpenClaw before 2026.3.8 allows authenticated remote attackers to bypass approval controls in the system.run function by obtaining approval for a script, modifying the approved script file before execution, and executing malicious content while preserving the approved command structure. This approval-execution window vulnerability enables privilege escalation and code execution with low complexity and no user interaction required. No public exploit code or active exploitation has been confirmed at the time of analysis.
Technical ContextAI
The vulnerability stems from a race condition (CWE-367: Time-of-Check Time-of-Use) in OpenClaw's approval workflow for the system.run function. The approval mechanism checks and binds script operands at approval time, but these bindings are not retained or re-validated during the execution phase. Attackers with authenticated access can modify mutable script operands on disk between approval grant and actual execution, allowing the executor to run different code than what was approved. This affects the script approval chain-of-custody in OpenClaw's workflow automation system (cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*), where system.run is likely a critical function for executing arbitrary commands or scripts as part of orchestration workflows.
RemediationAI
Upgrade OpenClaw to version 2026.3.8 or later to obtain the vendor-released patch. The upstream fix is available via GitHub commits c76d29208bf6a7f058d2cf582519d28069e42240 and cf3a479bd1204f62eef7dd82b4aa328749ae6c91, which address the mutable operand binding vulnerability by ensuring script operands are immutably bound at approval time and validated against stored bindings at execution time. Users unable to immediately upgrade should restrict write access to approved script files and enforce separation of duties between approval and execution roles. For detailed remediation guidance, consult the official security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-8g75-q649-6pv6 and the VulnCheck advisory at https://www.vulncheck.com/advisories/openclaw-script-content-modification-via-mutable-operand-binding-in-system-run.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17375
GHSA-wwrj-437c-ppq4