GHSA-hjvp-qhm6-wrh2: OpenClaw Node system.run approval context-binding weakness in approval-enabled host=node flows

March 2, 2026

In approval-enabled host=node workflows, system.run approvals did not always carry a strict, versioned execution-context binding. In uncommon setups that rely on these approvals as an integrity guardrail, a previously approved request could be reused with changed env input.

References

github.com/advisories/GHSA-hjvp-qhm6-wrh2
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/10481097f8e6dd0346db9be0b5f27570e1bdfcfa
github.com/openclaw/openclaw/security/advisories/GHSA-hjvp-qhm6-wrh2

Code Behaviors & Features

Detect and mitigate GHSA-hjvp-qhm6-wrh2 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →