GHSA-gv46-4xfq-jv58: OpenClaw Vulnerable to Remote Code Execution via Node Invoke Approval Bypass in Gateway

March 2, 2026

A remote code execution (RCE) vulnerability in the gateway-to-node invocation path allowed an authenticated gateway client to bypass node-host exec approvals by injecting internal control fields into node.invoke parameters.

References

github.com/advisories/GHSA-gv46-4xfq-jv58
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/0af76f5f0e93540efbdf054895216c398692afcd
github.com/openclaw/openclaw/security/advisories/GHSA-gv46-4xfq-jv58

Code Behaviors & Features

Detect and mitigate GHSA-gv46-4xfq-jv58 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →