CVE-2026-32065 in OpenClaw
Summary
by MITRE • 03/21/2026
OpenClaw versions prior to 2026.2.25 contain an approval-integrity bypass vulnerability in system.run where rendered command text is used as approval identity while trimming argv token whitespace, but runtime execution uses raw argv. An attacker can craft a trailing-space executable token to execute a different binary than what the approver displayed, allowing unexpected command execution under the OpenClaw runtime user when they can influence command argv and reuse an approval context.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/27/2026
The vulnerability described in CVE-2026-32065 represents a critical approval-integrity bypass flaw within the OpenClaw system that undermines fundamental security controls designed to prevent unauthorized command execution. This issue affects all versions prior to 2026.2.25 and specifically targets the system.run function where command approval mechanisms fail to maintain consistency between approval validation and actual execution phases. The flaw creates a dangerous discrepancy between what appears to be approved and what is actually executed, fundamentally compromising the principle of least privilege and command authorization.
The technical implementation of this vulnerability stems from a mismatch in how command arguments are processed during approval versus execution phases. During the approval process, the system trims whitespace from argv tokens and uses this trimmed representation as the approval identity for verification purposes. However, during runtime execution, the system utilizes the raw argv parameters without any whitespace trimming, creating a potential attack surface where maliciously crafted arguments can exploit this inconsistency. The vulnerability specifically leverages trailing whitespace in executable tokens to manipulate the command execution flow, allowing attackers to substitute one binary for another while maintaining the appearance of legitimate approval.
This vulnerability directly maps to CWE-150 and CWE-153 within the Common Weakness Enumeration framework, representing weaknesses in input validation and command execution that enable privilege escalation and unauthorized code execution. The operational impact extends beyond simple command substitution, as attackers can potentially execute arbitrary binaries with the elevated privileges of the OpenClaw runtime user. The attack vector requires that the attacker can influence command argv parameters and has the ability to reuse an existing approval context, making this particularly dangerous in environments where approval workflows are automated or where attackers can manipulate command parameters through legitimate interfaces. The vulnerability essentially creates a false sense of security during the approval phase while silently executing malicious commands during execution.
The exploitation of this vulnerability follows patterns consistent with the ATT&CK framework's privilege escalation and command and control techniques, specifically targeting the execution phase where attackers can manipulate command line arguments to achieve unauthorized system access. Organizations using OpenClaw systems are at risk of unauthorized command execution, potential data exfiltration, and system compromise when this vulnerability exists in unpatched versions. The attack requires minimal privileges and can be automated, making it particularly dangerous in enterprise environments where command execution controls are critical for maintaining system integrity and preventing unauthorized access to sensitive resources.
Mitigation strategies should focus on implementing consistent argument processing across approval and execution phases, ensuring that whitespace trimming occurs uniformly throughout the command processing pipeline. Organizations should immediately upgrade to OpenClaw version 2026.2.25 or later, which addresses this vulnerability through proper synchronization of approval and execution argument handling. Additional defensive measures include implementing strict input validation for command arguments, monitoring for unusual command execution patterns, and establishing more robust approval workflow controls that prevent manipulation of command parameters. System administrators should also consider implementing additional layers of command verification and logging to detect potential exploitation attempts, while ensuring that approval contexts cannot be reused for different command executions without proper re-verification.