GHSA-wwrj-437c-ppq4: Duplicate Advisory: OpenClaw's system.run approvals did not bind mutable script operands across approval and execution
(updated )
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-8g75-q649-6pv6. This link is maintained to preserve external references.
Original Description
OpenClaw before 2026.3.8 contains an approval bypass vulnerability in system.run where mutable script operands are not bound across approval and execution phases. Attackers can obtain approval for script execution, modify the approved script file before execution, and execute different content while maintaining the same approved command shape.
References
- github.com/advisories/GHSA-wwrj-437c-ppq4
- github.com/openclaw/openclaw/commit/c76d29208bf6a7f058d2cf582519d28069e42240
- github.com/openclaw/openclaw/commit/cf3a479bd1204f62eef7dd82b4aa328749ae6c91
- github.com/openclaw/openclaw/security/advisories/GHSA-8g75-q649-6pv6
- nvd.nist.gov/vuln/detail/CVE-2026-32921
- www.vulncheck.com/advisories/openclaw-script-content-modification-via-mutable-operand-binding-in-system-run
Code Behaviors & Features
Detect and mitigate GHSA-wwrj-437c-ppq4 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →