CVE-2026-29608
Received Received - Intake
Approval Integrity Bypass in OpenClaw 2026.3.1 run Node Execution

Publication date: 2026-03-19

Last updated on: 2026-03-19

Assigner: VulnCheck

Description
OpenClaw 2026.3.1 contains an approval integrity vulnerability in system.run node-host execution where argv rewriting changes command semantics. Attackers can place malicious local scripts in the working directory to execute unintended code despite operator approval of different command text.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-19
Last Modified
2026-03-19
Generated
2026-06-16
AI Q&A
2026-03-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-29608
EUVD
EUVD-2026-13016
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw 2026.3.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-88 The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-29608 is an approval integrity vulnerability in OpenClaw version 2026.3.1 affecting the system.run node-host execution function. The issue arises because the system rewrites the command's argument vector (argv), changing the intended command semantics. This rewriting can cause the execution of unintended commands or scripts."}, {'type': 'paragraph', 'content': "Specifically, when a shell wrapper command is approved (e.g., commands like `env sh -c ...`), the system changes the argv such that the actual executed command differs from what the operator approved. For example, the argv might be transformed from `['env','sh','-c','echo SAFE']` to `['/bin/sh','sh','-c','echo SAFE']`. This causes the shell to interpret an extra positional argument as a script path, allowing execution of a malicious local script placed by an attacker in the working directory."}, {'type': 'paragraph', 'content': 'Attackers exploit this by placing malicious scripts locally and tricking the operator into approving a seemingly safe command, which then executes the malicious script due to argv rewriting.'}] [1, 2, 3]

Impact Analysis

This vulnerability can lead to execution of arbitrary or malicious local scripts despite operator approval of a different, safe command. This means an attacker with local access and the ability to place files in the working directory can bypass command approval controls.

The impact includes high confidentiality, integrity, and availability risks because unintended commands or scripts can run with the privileges of the approved command execution context.

  • Execution of unauthorized code or scripts
  • Bypassing operator command approval mechanisms
  • Potential compromise of system confidentiality, integrity, and availability
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves identifying if the system.run node-host execution rewrites argv in a way that changes command semantics, potentially allowing execution of unintended local scripts.'}, {'type': 'paragraph', 'content': "Specifically, you can check for the presence of suspicious local scripts in working directories that might be executed due to argv rewriting, such as unexpected files named like shell wrapper arguments (e.g., a file named 'sh' in the working directory)."}, {'type': 'paragraph', 'content': 'While no explicit detection commands are provided in the resources, a practical approach includes:'}, {'type': 'list_item', 'content': 'Listing files in working directories where system.run commands are approved to detect unexpected or suspicious scripts.'}, {'type': 'list_item', 'content': "Monitoring execution logs for commands where argv rewriting might have occurred, especially commands involving shell wrappers like 'env sh -c ...'."}, {'type': 'list_item', 'content': 'Using system auditing tools to track execution of local scripts that were not explicitly approved.'}, {'type': 'paragraph', 'content': 'Example commands you might use include:'}, {'type': 'list_item', 'content': 'ls -la in directories where system.run commands are executed to find suspicious scripts.'}, {'type': 'list_item', 'content': 'grep or auditd rules to monitor execution of shell wrapper commands and detect deviations in argv usage.'}] [1, 2, 3]

Mitigation Strategies

The primary mitigation step is to upgrade OpenClaw to version 2026.3.2 or later, where the vulnerability has been fixed.

The fix ensures that system.run command approvals involving shell or dispatch wrappers preserve the original argv shape during execution hardening, preventing command spoofing or unauthorized command shape changes.

Until the upgrade is applied, you should:

  • Avoid running system.run commands that involve shell wrappers or dispatch wrappers in untrusted or writable working directories.
  • Restrict write permissions in directories where approved commands are executed to prevent attackers from placing malicious local scripts.
  • Review and tighten approval policies to ensure operators verify the exact command semantics and working directory contents before approval.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29608. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart