GHSA-rw39-5899-8mxp — high GitHub Advisory (CVE-2026-32971) in npm/openclaw

Description

Summary

In affected versions of openclaw, node-host system.run approvals could display only an extracted shell payload such as jq --version while execution still ran a different outer wrapper argv such as ./env sh -c 'jq --version'.

Impact

This is an approval-integrity bug. An attacker who could place or select a local wrapper binary and induce a wrapper-shaped command could get local code executed after the operator approved misleading command text.

Affected Packages and Versions

Package: openclaw (npm)
Affected versions: <= 2026.3.8
Fixed in: 2026.3.11

Technical Details

Wrapper resolution normalized executables by basename and extracted inner shell payload text for approval display, while execution still preserved the full wrapper argv. Approval storage and UI therefore showed text that did not match the exact command OpenClaw would execute.

Fix

OpenClaw now binds approvals to the exact executed argv and keeps extracted shell payload text only as secondary preview data. The fix shipped in [email protected].

Workarounds

Upgrade to 2026.3.11 or later.

Basic information

Type: reviewed
Severity: high
Advisory on GitHub: Open advisory ↗
Repository advisory: Open repository advisory ↗
Source code: Browse source ↗
Published (advisory): 2026-03-13 15:47:46 UTC
Updated: 2026-04-06 22:37:28 UTC
GitHub reviewed: 2026-03-13 15:47:46 UTC

Score	Percentile
0.02%	3.46%

CVSS Scores

Base score	Version	Severity	Vector
7.1	3.1	—	`CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:H) Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:R) A real person has to do something—click, install, enable—otherwise it doesn’t land. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.

Identifiers

Type	Value
GHSA	GHSA-rw39-5899-8mxp ↗
CVE	CVE-2026-32971 ↗

CWEs

CWE id	Name
CWE-436	Interpretation Conflict
CWE-863	Incorrect Authorization

Credits

tdjackey (reporter)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem	Package	Vulnerable range	First patched	Vulnerable functions
npm	openclaw	< 2026.3.11	2026.3.11	—

OpenClaw: Node-host approvals could show misleading shell payloads instead of the executed argv