CVE-2026-32978

HIGH

OpenClaw < 2026.3.11 - Approval Bypass via Unrecognized Script Runners

Title source: cna

Description

OpenClaw before 2026.3.11 contains an approval integrity vulnerability where system.run approvals fail to bind mutable file operands for certain script runners like tsx and jiti. Attackers can obtain approval for benign script commands, rewrite referenced scripts on disk, and execute modified code under the approved run context.

References (2)

[Third Party Advisory] https://github.com/openclaw/openclaw/security/advisories/GHSA-qc36-x95h-7j53

[Third Party Advisory] https://www.vulncheck.com/advisories/openclaw-approval-bypass-via-unrecognized-script-runners

Scores

CVSS v3 8.0

EPSS 0.0004

EPSS Percentile 12.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

Details

CWE

CWE-863

Status published

Products (4)

npm/openclaw 0 - 2026.3.11npm

OpenClaw/OpenClaw < 2026.3.11

openclaw/openclaw < 2026.3.11

OpenClaw/OpenClaw 2026.3.11

Published Mar 29, 2026

Tracked Since Mar 29, 2026