CVE-2026-22168
Approval-Integrity Bypass in OpenClaw system.run Enables Local Command Execution
Publication date: 2026-03-18
Last updated on: 2026-03-19
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.2.21 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-88 | The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22168 is a command injection vulnerability in OpenClaw versions prior to 2026.2.21 affecting the system.run function.
The flaw allows authenticated operators to append arbitrary trailing arguments after the command `cmd.exe /c` even though the approval text only shows a benign command.
This mismatch between the approved command and the actual executed command enables attackers to smuggle malicious arguments, resulting in local command execution on trusted Windows nodes.
Additionally, audit logs reflect only the benign command, causing mismatched audit records and complicating detection.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized local command execution on trusted Windows nodes by authenticated operators.
Attackers can exploit the approval-integrity mismatch to execute arbitrary commands that were not approved, potentially compromising system integrity.
Because audit logs only record the benign approved command, malicious activity may go undetected, increasing the risk of persistent unauthorized access or system manipulation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability is challenging because the approval and audit logs only reflect a benign command, while the actual executed command includes additional trailing arguments. This results in mismatched audit logs that do not show the malicious trailing arguments.
To detect exploitation attempts, you should monitor for discrepancies between approved commands and actual command execution, especially commands invoking `cmd.exe /c` with unexpected trailing arguments.
Since the vulnerability involves local command execution on trusted Windows nodes by authenticated operators, you can audit command execution logs and compare them against approval records to identify mismatches.
Specific commands to detect this vulnerability are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary mitigation step is to upgrade OpenClaw to version 2026.2.21 or later, where the vulnerability has been fixed.'}, {'type': 'paragraph', 'content': 'The fix involves refactoring the system.run command execution to enforce strict matching between the approved command text and the actual command executed, preventing trailing-argument smuggling attacks.'}, {'type': 'paragraph', 'content': "Until the upgrade can be applied, restrict or closely monitor authenticated operators' ability to execute commands via system.run, especially commands involving `cmd.exe /c` with trailing arguments."}, {'type': 'paragraph', 'content': 'Review and tighten approval workflows and audit processes to detect and prevent approval-integrity mismatches.'}] [1, 2, 3]