GHSA-8g75-q649-6pv6
Suggest an improvement- Source
- https://github.com/advisories/GHSA-8g75-q649-6pv6
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-8g75-q649-6pv6/GHSA-8g75-q649-6pv6.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-8g75-q649-6pv6
- Aliases
-
- CVE-2026-32921
- Downstream
- Published
- 2026-03-12T14:21:28Z
- Modified
- 2026-04-06T22:46:28.593807Z
- Severity
-
- 6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
- Summary
- OpenClaw's system.run approvals did not bind mutable script operands across approval and execution
- Details
-
OpenClaw's
system.runapproval flow did not bind mutable interpreter-style script operands across approval and execution.A caller could obtain approval for an execution such as
sh ./script.sh, rewrite the approved script before execution, and then execute different content under the previously approved command shape. The approvedargvvalues remained the same, but the mutable script operand content could drift after approval.Latest published npm version verified vulnerable:
2026.3.7The initial March 7, 2026 fix in
c76d29208bf6a7f058d2cf582519d28069e42240added approval binding for shell scripts and a narrow interpreter set, but follow-up maintainer review on March 8, 2026 found thatbunanddenoscript operands still did not producemutableFileOperandsnapshots.A complete fix shipped on March 9, 2026 in
cf3a479bd1204f62eef7dd82b4aa328749ae6c91, which binds approvedbunanddeno runscript operands to on-disk file snapshots and denies post-approval script drift before execution.Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
<= 2026.3.7 - Patched version:
2026.3.8
Fix Commit(s)
c76d29208bf6a7f058d2cf582519d28069e42240cf3a479bd1204f62eef7dd82b4aa328749ae6c91
Release Verification
- npm
2026.3.7remains vulnerable. - npm
2026.3.8contains the completed fix.
Thanks @tdjackey for reporting.
- Package:
- Database specific
{ "nvd_published_at": null, "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-285", "CWE-367" ], "github_reviewed_at": "2026-03-12T14:21:28Z" }- References
-
- https://github.com/openclaw/openclaw/security/advisories/GHSA-8g75-q649-6pv6
- https://nvd.nist.gov/vuln/detail/CVE-2026-32921
- https://github.com/openclaw/openclaw/commit/c76d29208bf6a7f058d2cf582519d28069e42240
- https://github.com/openclaw/openclaw/commit/cf3a479bd1204f62eef7dd82b4aa328749ae6c91
- https://github.com/openclaw/openclaw
- https://www.vulncheck.com/advisories/openclaw-script-content-modification-via-mutable-operand-binding-in-system-run
Affected packages
npm / openclaw
Package
- Name
- openclaw
- View open source insights on deps.dev
- Purl
- pkg:npm/openclaw