Description
OpenClaw is a personal AI assistant. Prior to version 2026.2.14, a mismatch between `rawCommand` and `command[]` in the node host `system.run` handler could cause allowlist/approval evaluation to be performed on one command while executing a different argv. This only impacts deployments that use the node host / companion node execution path (`system.run` on a node), enable allowlist-based exec policy (`security=allowlist`) with approval prompting driven by allowlist misses (for example `ask=on-miss`), allow an attacker to invoke `system.run`. Default/non-node configurations are not affected. Version 2026.2.14 enforces `rawCommand`/`command[]` consistency (gateway fail-fast + node host validation).
Published: 2026-02-19
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: BYPASS OF EXECUTION ALLOWLIST/APPROVALS LEADING TO POTENTIAL ARBITRARY COMMAND EXECUTION
Action: Update
AI Analysis

Impact

A discrepancy between rawCommand and command[] variables in the node host system.run handler allows the system to perform allowlist or approval checks against one command while executing a different argv array. This flaw can enable an attacker who can invoke system.run to bypass defined security policies and execute arbitrary code, compromising system confidentiality, integrity, and availability.

Affected Systems

All OpenClaw installations older than version 2026.2.14 that use the node host companion execution path and have security=allowlist enabled with ask=on-miss approval prompting. Configurations that do not use the node host or do not enable allowlist-based exec policy are not affected. The flaw appears in the openclaw:openclaw product for Node.js environments.

Risk and Exploitability

The CVSS score is 7.2, indicating a moderate to high severity vulnerability. The EPSS score is less than 1 percent, suggesting a very low likelihood of exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to be able to trigger system.run, typically through exposed APIs or local access. Once triggered, the attacker can circumvent policy checks and launch arbitrary commands.

Generated by OpenCVE AI on April 17, 2026 at 17:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OpenClaw version 2026.2.14 or later, where rawCommand and command[] checks are enforced to fail fast and host validation is added.
  • Reconfigure the system to disable or restrict the system.run interface for untrusted or non‑node hosts, and ensure allowlist/security=allowlist policies are only applied where appropriate.
  • Audit existing deployments for mismatched rawCommand and command[] usage, and validate that all configurations use the same array when invoking system.run.

Generated by OpenCVE AI on April 17, 2026 at 17:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h3f9-mjwj-w476 OpenClaw Node host system.run rawCommand/command mismatch can bypass allowlist/approvals
History

Mon, 23 Feb 2026 14:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Openclaw
Openclaw openclaw
Vendors & Products Openclaw
Openclaw openclaw

Thu, 19 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Description OpenClaw is a personal AI assistant. Prior to version 2026.2.14, a mismatch between `rawCommand` and `command[]` in the node host `system.run` handler could cause allowlist/approval evaluation to be performed on one command while executing a different argv. This only impacts deployments that use the node host / companion node execution path (`system.run` on a node), enable allowlist-based exec policy (`security=allowlist`) with approval prompting driven by allowlist misses (for example `ask=on-miss`), allow an attacker to invoke `system.run`. Default/non-node configurations are not affected. Version 2026.2.14 enforces `rawCommand`/`command[]` consistency (gateway fail-fast + node host validation).
Title OpenClaw Node host system.run rawCommand/command mismatch can bypass allowlist/approvals
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-20T15:39:41.148Z

Reserved: 2026-02-13T16:27:51.808Z

Link: CVE-2026-26325

cve-icon Vulnrichment

Updated: 2026-02-20T15:29:41.442Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-19T23:16:25.800

Modified: 2026-02-23T13:47:10.610

Link: CVE-2026-26325

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T18:00:12Z

Weaknesses