CVE-2026-32921 | THREATINT

Description

OpenClaw before 2026.3.8 contains an approval bypass vulnerability in system.run where mutable script operands are not bound across approval and execution phases. Attackers can obtain approval for script execution, modify the approved script file before execution, and execute different content while maintaining the same approved command shape.

PUBLISHED Reserved 2026-03-16 | Published 2026-03-31 | Updated 2026-03-31 | Assigner VulnCheck

MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

MEDIUM: 6.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Problem types

Time-of-check Time-of-use (TOCTOU) Race Condition

Product status

Default status

unaffected

Any version before 2026.3.8

affected

2026.3.8 (semver)

unaffected

Credits

tdjackey reporter

References

github.com/...enclaw/security/advisories/GHSA-8g75-q649-6pv6 (GitHub Security Advisory (GHSA-8g75-q649-6pv6)) third-party-advisory

github.com/...ommit/c76d29208bf6a7f058d2cf582519d28069e42240 (Patch Commit #1) patch

github.com/...ommit/cf3a479bd1204f62eef7dd82b4aa328749ae6c91 (Patch Commit #2) patch

www.vulncheck.com/...a-mutable-operand-binding-in-system-run (VulnCheck Advisory: OpenClaw < 2026.3.8 - Script Content Modification via Mutable Operand Binding in system.run) third-party-advisory

cve.org (CVE-2026-32921)

nvd.nist.gov (CVE-2026-32921)

Download JSON