CVE-2026-32058

OpenClaw versions prior to 2026.2.26 contain an approval context-binding weakness in system.run execution flows with host=node that allows reuse of previously approved requests with modified environment variables. Attackers with access to an approval id can exploit this by reusing an approval with changed env input, bypassing execution-integrity controls in approval-enabled workflows.

OpenClaw versions prior to 2026.2.26 contain an approval context-binding weakness in system.run execution flows with host=node that allows reuse of previously approved requests with modified environment variables. Attackers with access to an approval id can exploit this by reusing an approval with changed env input, bypassing execution-integrity controls in approval-enabled workflows.

### Summary In approval-enabled `host=node` workflows, `system.run` approvals did not always carry a strict, versioned execution-context binding. In uncommon setups that rely on these approvals as an integrity guardrail, a previously approved request could be reused with changed env input. ### Affected Packages / Versions - Package: npm `openclaw` - Latest published npm version at triage: `2026.2.25` - Affected range: `<= 2026.2.25` - Planned fixed version (next npm release): `2026.2.26` ### Preconditions / Typical Exposure This requires all of the following: - `system.run` usage through `host=node` - Exec approvals enabled and used as an execution-integrity control - Access to an approval id in the same context Most default single-operator local setups do not rely on this path, so practical exposure is typically lower. ### Details Approval matching now uses a required versioned binding (`systemRunBindingV1`) over command argv, cwd, agent/session context, and env hash. The fix: - Requires `commandArgv` when requesting `host=node` approvals. - Requires `systemRunBindingV1` when consuming approvals for node `system.run`. - Removes legacy non-versioned fallback matching and fails closed on missing/mismatched bindings. - Keeps env mismatch handling explicit and blocks `GIT_EXTERNAL_DIFF` in host env policy. - Adds/updates regression and contract coverage for mismatch mapping and binding rules. ### Impact Configuration-dependent approval-integrity weakness in node-host exec approval flows. Severity remains `medium` because exploitation depends on this specific approval mode and context. ### Fix Commit(s) - `10481097f8e6dd0346db9be0b5f27570e1bdfcfa` ### Release Process Note `patched_versions` is pre-set to the planned next release (`2026.2.26`) so once npm release `2026.2.26` is published, the advisory can be published without further metadata edits. OpenClaw thanks @tdjackey for reporting.

### Summary In approval-enabled `host=node` workflows, `system.run` approvals did not always carry a strict, versioned execution-context binding. In uncommon setups that rely on these approvals as an integrity guardrail, a previously approved request could be reused with changed env input. ### Affected Packages / Versions - Package: npm `openclaw` - Latest published npm version at triage: `2026.2.25` - Affected range: `<= 2026.2.25` - Planned fixed version (next npm release): `2026.2.26` ### Preconditions / Typical Exposure This requires all of the following: - `system.run` usage through `host=node` - Exec approvals enabled and used as an execution-integrity control - Access to an approval id in the same context Most default single-operator local setups do not rely on this path, so practical exposure is typically lower. ### Details Approval matching now uses a required versioned binding (`systemRunBindingV1`) over command argv, cwd, agent/session context, and env hash. The fix: - Requires `commandArgv` when requesting `host=node` approvals. - Requires `systemRunBindingV1` when consuming approvals for node `system.run`. - Removes legacy non-versioned fallback matching and fails closed on missing/mismatched bindings. - Keeps env mismatch handling explicit and blocks `GIT_EXTERNAL_DIFF` in host env policy. - Adds/updates regression and contract coverage for mismatch mapping and binding rules. ### Impact Configuration-dependent approval-integrity weakness in node-host exec approval flows. Severity remains `medium` because exploitation depends on this specific approval mode and context. ### Fix Commit(s) - `10481097f8e6dd0346db9be0b5f27570e1bdfcfa` ### Release Process Note `patched_versions` is pre-set to the planned next release (`2026.2.26`) so once npm release `2026.2.26` is published, the advisory can be published without further metadata edits. OpenClaw thanks @tdjackey for reporting.

Versiones de OpenClaw anteriores a 2026.2.26 contienen una debilidad de vinculación de contexto de aprobación en los flujos de ejecución de system.run con host=node que permite la reutilización de solicitudes previamente aprobadas con variables de entorno modificadas. Atacantes con acceso a un ID de aprobación pueden explotar esto reutilizando una aprobación con una entrada de entorno (env) modificada, eludiendo los controles de integridad de ejecución en flujos de trabajo habilitados para aprobación.