Description
OpenClaw versions prior to 2026.2.26 contain an approval bypass vulnerability in system.run execution that allows attackers to execute commands from unintended filesystem locations by rebinding writable parent symlinks in the current working directory after approval. An attacker can modify mutable parent symlink path components between approval and execution time to redirect command execution to a different location while preserving the visible working directory string.
Published: 2026-03-18
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Command Execution
Action: Patch
AI Analysis

Impact

The vulnerability in OpenClaw arises from improper handling of symbolic links (CWE‑367) in the system.run function, allowing attackers to bind a writable parent symlink after the approval step. This causes the program to execute commands from a different filesystem location while the visible working directory remains unchanged, potentially granting the attacker execution rights in the context of the OpenClaw process.

Affected Systems

All releases of OpenClaw prior to version 2026.2.26 are affected. The CPE string cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:* denotes every Node.js based OpenClaw build without the 2026.2.26 update.

Risk and Exploitability

The CVSS score of 6.9 indicates medium severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that exploitation requires an attacker to have write access to the parent symbolic link within the current working directory; thus local filesystem permissions are a prerequisite. The attack vector is likely local, but the impact is to execute arbitrary commands with the privileges of the OpenClaw process.

Generated by OpenCVE AI on March 18, 2026 at 03:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.2.26 or later to remediate the approval bypass via symbolic link rebind
  • Restrict write permissions on parent symlinks used in OpenClaw’s current working directory paths so that only trusted users can modify them
  • After upgrading, verify that system.run no longer allows execution from arbitrary paths and monitor symlink integrity in critical directories

Generated by OpenCVE AI on March 18, 2026 at 03:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f7ww-2725-qvw2 OpenClaw: Node system.run approval bypass via parent-symlink cwd rebind
History

Wed, 18 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
Description OpenClaw versions prior to 2026.2.26 contain an approval bypass vulnerability in system.run execution that allows attackers to execute commands from unintended filesystem locations by rebinding writable parent symlinks in the current working directory after approval. An attacker can modify mutable parent symlink path components between approval and execution time to redirect command execution to a different location while preserving the visible working directory string.
Title OpenClaw < 2026.2.26 - Approval Bypass via Parent Symlink Current Working Directory Rebind
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-367
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-18T14:02:06.726Z

Reserved: 2026-02-20T12:31:54.451Z

Link: CVE-2026-27545

cve-icon Vulnrichment

Updated: 2026-03-18T14:02:02.896Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T02:16:23.837

Modified: 2026-03-18T19:51:34.893

Link: CVE-2026-27545

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:59:34Z

Weaknesses