system.run approvals in OpenClaw used rendered command text as the approval identity while trimming argv token whitespace. Runtime execution still used raw argv. A crafted trailing-space executable token could therefore execute a different binary than what the approver saw.
openclaw (npm)<= 2026.2.24>= 2026.2.25This is an approval-integrity bypass that can lead to unexpected command execution under the OpenClaw runtime user when an attacker can influence command argv and reuse/obtain a matching approval context.
OpenClaw does not treat adversarial multi-user sharing of one gateway host/config as a supported security boundary. This finding is still valid in supported deployments because it breaks the operator approval boundary itself (approved display command vs executed argv).
03e689fc89bbecbcd02876a95957ef1ad9caa176patched_versions is pre-set to the release (2026.2.25). Advisory published with npm release 2026.2.25.
OpenClaw thanks @tdjackey for reporting.
| Score | Percentile |
|---|---|
| 0.04% | 10.89% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 4.8 | 3.1 | — |
|
| 5.7 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-hwpq-rrpf-pgcq ↗ |
| CVE | CVE-2026-32065 ↗ |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| npm | openclaw | <= 2026.2.24 | 2026.2.25 | — |