GHSA-rwwx-25m7-ww73: Duplicate Advisory: OpenClaw: Unrecognized script runners could bypass `system.run` approval integrity

March 29, 2026 (updated April 6, 2026)

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-qc36-x95h-7j53. This link is maintained to preserve external references.

Original Description

OpenClaw before 2026.3.11 contains an approval integrity vulnerability where system.run approvals fail to bind mutable file operands for certain script runners like tsx and jiti. Attackers can obtain approval for benign script commands, rewrite referenced scripts on disk, and execute modified code under the approved run context.

References

github.com/advisories/GHSA-rwwx-25m7-ww73
github.com/openclaw/openclaw/security/advisories/GHSA-qc36-x95h-7j53
nvd.nist.gov/vuln/detail/CVE-2026-32978
www.vulncheck.com/advisories/openclaw-approval-bypass-via-unrecognized-script-runners

Code Behaviors & Features

Detect and mitigate GHSA-rwwx-25m7-ww73 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →