CVE-2026-32058: OpenClaw Node system.run approval context-binding weakness in approval-enabled host=node flows
(updated )
In approval-enabled host=node workflows, system.run approvals did not always carry a strict, versioned execution-context binding. In uncommon setups that rely on these approvals as an integrity guardrail, a previously approved request could be reused with changed env input.
References
- github.com/advisories/GHSA-hjvp-qhm6-wrh2
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/10481097f8e6dd0346db9be0b5f27570e1bdfcfa
- github.com/openclaw/openclaw/security/advisories/GHSA-hjvp-qhm6-wrh2
- nvd.nist.gov/vuln/detail/CVE-2026-32058
- www.vulncheck.com/advisories/openclaw-approval-context-binding-weakness-in-system-run-via-host-node
Code Behaviors & Features
Detect and mitigate CVE-2026-32058 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →