OpenClaw prior to version 2026.2.25 contains a flaw in the system.run command where the rendered approval identity is trimmed of trailing whitespace, but the runtime execution uses the raw argv value. An attacker can craft a command argument that appears identical to the approver’s view, yet contains a trailing space that changes the executable path. This allows execution of an unexpected binary under the OpenClaw runtime user, effectively bypassing approval integrity checks and enabling arbitrary code execution as that user.

The vulnerability affects the OpenClaw platform, specifically all releases before 2026.2.25. The impact is tied to the Node.js runtime used by OpenClaw. Users running any of these unsupported versions are potentially susceptible when they can influence command arguments within an approved context.

The CVSS score of 5.7 indicates a medium severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is likely local or requires the ability to create or reuse an approval context within OpenClaw, which may be achievable by an authenticated or privileged user. Exploitation requires manipulating argv arguments in an approved command, leading to execution of a different binary than shown to the approver.