Medium severity6.3NVD Advisory· Published Mar 31, 2026· Updated Apr 2, 2026
CVE-2026-32921
CVE-2026-32921
Description
OpenClaw before 2026.3.8 contains an approval bypass vulnerability in system.run where mutable script operands are not bound across approval and execution phases. Attackers can obtain approval for script execution, modify the approved script file before execution, and execute different content while maintaining the same approved command shape.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openclawnpm | < 2026.3.8 | 2026.3.8 |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/openclaw/openclaw/commit/c76d29208bf6a7f058d2cf582519d28069e42240nvdPatchWEB
- github.com/openclaw/openclaw/commit/cf3a479bd1204f62eef7dd82b4aa328749ae6c91nvdPatchWEB
- github.com/advisories/GHSA-8g75-q649-6pv6ghsaADVISORY
- github.com/openclaw/openclaw/security/advisories/GHSA-8g75-q649-6pv6nvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-32921ghsaADVISORY
- www.vulncheck.com/advisories/openclaw-script-content-modification-via-mutable-operand-binding-in-system-runnvdThird Party AdvisoryWEB
News mentions
0No linked articles in our index yet.