CVE-2026-31997

MEDIUM

OpenClaw < 2026.3.1 - Executable Rebind via Unbound PATH-token in system.run Approvals

Title source: cna

Description

OpenClaw versions prior to 2026.3.1 fail to pin executable identity for non-path-like argv[0] tokens in system.run approvals, allowing post-approval executable rebind attacks. Attackers can modify PATH resolution after approval to execute a different binary than the operator approved, enabling arbitrary command execution.

References (2)

[Third Party Advisory] https://github.com/openclaw/openclaw/security/advisories/GHSA-q399-23r3-hfx4

[Third Party Advisory] https://www.vulncheck.com/advisories/openclaw-executable-rebind-via-unbound-path-token-in-system-run-approvals

Scores

CVSS v3 6.0

EPSS 0.0001

EPSS Percentile 1.0%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N

Details

CWE

CWE-367

Status published

Products (4)

npm/openclaw 0 - 2026.3.1npm

OpenClaw/OpenClaw < 2026.3.1

openclaw/openclaw < 2026.3.1

OpenClaw/OpenClaw 2026.3.1

Published Mar 19, 2026

Tracked Since Mar 19, 2026