CVE-2026-29608

medium

Description

OpenClaw 2026.3.1 contains an approval integrity vulnerability in system.run node-host execution where argv rewriting changes command semantics. Attackers can place malicious local scripts in the working directory to execute unintended code despite operator approval of different command text.

References

https://www.vulncheck.com/advisories/openclaw-approval-integrity-bypass-via-system-run-argv-rewriting

https://github.com/openclaw/openclaw/security/advisories/GHSA-h3rm-6x7g-882f

https://github.com/openclaw/openclaw/commit/dded569626b0d8e7bdab10b5e7528b6caf73a0f1

Details

Source: Mitre, NVD

Published: 2026-03-19

Updated: 2026-03-19

Risk Information

CVSS v2

Base Score: 6

Vector: CVSS2#AV:L/AC:H/Au:S/C:C/I:C/A:C

Severity: Medium

CVSS v3

Base Score: 6.7

Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Severity: Medium

CVSS v4

Base Score: 5.4

Vector: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Severity: Medium