CVE-2026-26325
Received Received - Intake
Command Injection via Argument Mismatch in OpenClaw system.run

Publication date: 2026-02-19

Last updated on: 2026-02-23

Assigner: GitHub, Inc.

Description
OpenClaw is a personal AI assistant. Prior to version 2026.2.14, a mismatch between `rawCommand` and `command[]` in the node host `system.run` handler could cause allowlist/approval evaluation to be performed on one command while executing a different argv. This only impacts deployments that use the node host / companion node execution path (`system.run` on a node), enable allowlist-based exec policy (`security=allowlist`) with approval prompting driven by allowlist misses (for example `ask=on-miss`), allow an attacker to invoke `system.run`. Default/non-node configurations are not affected. Version 2026.2.14 enforces `rawCommand`/`command[]` consistency (gateway fail-fast + node host validation).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-19
Last Modified
2026-02-23
Generated
2026-06-16
AI Q&A
2026-02-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26325
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.2.14 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in OpenClaw, a personal AI assistant, prior to version 2026.2.14. It involves a mismatch between the rawCommand and command[] parameters in the node host system.run handler. This mismatch can cause the allowlist or approval evaluation to be performed on one command, while a different command is actually executed. This issue only affects deployments that use the node host or companion node execution path (system.run on a node), have allowlist-based execution policies enabled (security=allowlist), and use approval prompting triggered by allowlist misses (such as ask=on-miss). Default or non-node configurations are not affected.

Version 2026.2.14 fixes this vulnerability by enforcing consistency between rawCommand and command[] through gateway fail-fast and node host validation.

Impact Analysis

This vulnerability can allow an attacker who is able to invoke system.run on a node to bypass the intended allowlist or approval checks. Because the evaluation is done on one command but a different command is executed, unauthorized commands could be run with potentially high privileges.

The CVSS v3.1 base score of 7.2 indicates a high severity, with impacts on confidentiality, integrity, and availability. This means the attacker could execute commands that compromise sensitive data, alter system behavior, or disrupt services.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, upgrade OpenClaw to version 2026.2.14 or later, which enforces consistency between rawCommand and command[] through gateway fail-fast and node host validation.

Additionally, ensure that your deployment does not use the node host / companion node execution path with allowlist-based exec policy and approval prompting driven by allowlist misses, or disable the allowlist-based exec policy if possible.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26325. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart