Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable approval workflow with a low-privileged authenticated submitter (PR:L) and a required approver click (UI:R); successful execution yields full C/I/A impact via the exec runner.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
OpenClaw before 2026.5.18 contains an approval display truncation vulnerability allowing authenticated users to hide command suffixes from approvers. Attackers can submit oversized exec commands with benign prefixes and malicious suffixes to execute unauthorized operations after approval.
AnalysisAI
Command approval bypass in OpenClaw versions prior to 2026.5.18 allows authenticated users to smuggle malicious instructions past human approvers by exploiting how the approval UI truncates oversized exec commands. The flaw (CWE-451, UI misrepresentation) lets an attacker craft a request with a benign-looking prefix while a malicious suffix is hidden from the reviewer's display, resulting in unauthorized execution once the request is approved. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) an authenticated account on the target OpenClaw instance with permission to submit exec commands through the approval workflow (PR:L), (2) the target deployment must be running a version prior to 2026.5.18 with the exec-approval feature in use, and (3) a separate human approver must be tricked into approving the crafted oversized command via the truncated UI (UI:A). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:A, VC:H/VI:H/VA:H) places this at 8.5 - high impact across confidentiality, integrity, and availability, but importantly gated on two conditions: the attacker must already be an authenticated low-privileged user (PR:L) and a separate human approver must take action (UI:A). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated low-privileged OpenClaw user submits an exec request such as a long, benign-looking listing or status command padded with whitespace or filler so that the malicious tail - for example a shell metacharacter chain that exfiltrates secrets or modifies files - falls past the approval UI's visible window. A human approver, seeing only the safe prefix, approves the request, and the full command (including the hidden suffix) is executed with whatever privileges the OpenClaw exec runner holds. … |
| Remediation | Vendor-released patch: upgrade OpenClaw to 2026.5.18 or later, which corrects the approval-display truncation; see the GHSA at https://github.com/openclaw/openclaw/security/advisories/GHSA-xww8-gqvh-92x9 and the VulnCheck advisory at https://www.vulncheck.com/advisories/openclaw-command-truncation-in-exec-approval-display. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all OpenClaw installations, document current versions, and identify systems processing sensitive commands through approval workflows. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36617
GHSA-92qj-8g54-qmph