CVE-2026-29608

MEDIUM openclaw NVD

CVSS Score 6.7

Severity MEDIUM

Published Mar 19, 2026

Vendor openclaw

Description

OpenClaw 2026.3.1 contains an approval integrity vulnerability in system.run node-host execution where argv rewriting changes command semantics. Attackers can place malicious local scripts in the working directory to execute unintended code despite operator approval of different command text.

References

https://github.com/openclaw/openclaw/commit/dded569626b0d8e7bdab10b5e7528b6caf73a0f1
https://github.com/openclaw/openclaw/security/advisories/GHSA-h3rm-6x7g-882f
https://www.vulncheck.com/advisories/openclaw-approval-integrity-bypass-via-system-run-argv-rewriting