CVE-2026-26325 Overview
CVE-2026-26325 is an authorization bypass vulnerability in OpenClaw, a personal AI assistant platform. A mismatch between rawCommand and command[] in the node host system.run handler allows security policy evaluation to be performed on one command while executing a different argv, effectively bypassing allowlist-based execution controls.
Critical Impact
Attackers with high privileges can bypass allowlist-based execution policies to run unauthorized system commands, potentially leading to complete compromise of confidentiality, integrity, and availability of affected systems.
Affected Products
- OpenClaw versions prior to 2026.2.14
- Deployments using node host / companion node execution path (system.run on a node)
- Configurations with allowlist-based exec policy (security=allowlist) and approval prompting (ask=on-miss)
Discovery Timeline
- 2026-02-19 - CVE-2026-26325 published to NVD
- 2026-02-19 - Last updated in NVD database
Technical Details for CVE-2026-26325
Vulnerability Analysis
This vulnerability falls under CWE-284 (Improper Access Control), where the security control mechanism fails to properly validate the consistency between two representations of the same command. The flaw enables an attacker to craft a request where the rawCommand parameter (used for allowlist evaluation) differs from the command[] array (used for actual execution).
In practice, an attacker could submit a benign-looking command string for approval while the actual executed argv contains malicious operations. This design flaw in the command parsing and validation logic creates a TOCTOU (Time-of-Check Time-of-Use) style vulnerability where the security check and the action operate on different data.
The vulnerability requires network access and high privileges to exploit, but once exploited, it can lead to unauthorized command execution with potentially severe consequences for system confidentiality, integrity, and availability.
Root Cause
The root cause lies in the inconsistent handling of command representations within the system.run handler. The gateway component would evaluate the rawCommand string against the allowlist policy, while the node host would execute based on the command[] array. Without proper validation ensuring these two representations resolve to the same command, an attacker could exploit this discrepancy.
The security patch introduces the validateSystemRunCommandConsistency function to enforce strict consistency between rawCommand and command[] at both the gateway level (fail-fast) and node host validation layer.
Attack Vector
The attack requires network access to the OpenClaw node execution interface. An attacker with high privileges (PR:H) who can invoke system.run could craft specially formed requests containing mismatched command representations. The allowlist check would pass based on the sanitized rawCommand, while the actual execution would use the malicious command[] array.
// Security patch in src/gateway/node-invoke-system-run-approval.ts
// Source: https://github.com/openclaw/openclaw/commit/cb3290fca32593956638f161d9776266b90ab891
import type { ExecApprovalManager, ExecApprovalRecord } from "./exec-approval-manager.js";
import type { GatewayClient } from "./server-methods/types.js";
+import {
+ formatExecCommand,
+ validateSystemRunCommandConsistency,
+} from "../infra/system-run-command.js";
type SystemRunParamsLike = {
command?: unknown;
// Security patch in src/infra/system-run-command.ts - Command consistency validation
// Source: https://github.com/openclaw/openclaw/commit/cb3290fca32593956638f161d9776266b90ab891
+import path from "node:path";
+
+export type SystemRunCommandValidation =
+ | {
+ ok: true;
+ shellCommand: string | null;
+ cmdText: string;
+ }
+ | {
+ ok: false;
+ message: string;
+ details?: Record<string, unknown>;
+ };
+
+function basenameLower(token: string): string {
+ const win = path.win32.basename(token);
+ const posix = path.posix.basename(token);
+ const base = win.length < posix.length ? win : posix;
+ return base.trim().toLowerCase();
+}
+
+export function formatExecCommand(argv: string[]): string {
+ return argv
+ .map((arg) => {
+ const trimmed = arg.trim();
+ if (!trimmed) {
+ return '""';
+ }
+ const needsQuotes = /\s|"/.test(trimmed);
+ if (!needsQuotes) {
Detection Methods for CVE-2026-26325
Indicators of Compromise
- Unexpected or unauthorized commands appearing in execution logs that don't match approved allowlist entries
- Discrepancies between gateway approval logs and actual node host execution logs
- Anomalous system.run requests with complex or encoded command parameters
- Failed validation errors in gateway logs after upgrading to patched version (indicating attempted exploitation)
Detection Strategies
- Implement logging correlation between gateway allowlist approval events and node host execution events
- Monitor for system.run invocations where rawCommand differs from resolved command[] values
- Deploy application-level monitoring to detect command execution that bypasses expected approval workflows
- Review audit logs for privileged users invoking system.run with unusual parameter patterns
Monitoring Recommendations
- Enable verbose logging on both gateway and node host components to capture full command parameters
- Set up alerts for any command execution that doesn't have a corresponding allowlist approval entry
- Monitor for increases in system.run invocations, particularly from users with elevated privileges
- Implement network segmentation monitoring to detect lateral movement following potential exploitation
How to Mitigate CVE-2026-26325
Immediate Actions Required
- Upgrade OpenClaw to version 2026.2.14 or later immediately
- Audit recent system.run invocations for signs of exploitation
- Review and restrict which users have privileges to invoke system.run
- Consider temporarily disabling node host execution paths until patches are applied
Patch Information
The vulnerability is fixed in OpenClaw version 2026.2.14. The patch enforces rawCommand/command[] consistency through gateway fail-fast validation and node host validation checks. The fix is available through the following resources:
Workarounds
- Disable node host / companion node execution path if not required for operations
- Change exec policy from security=allowlist to a more restrictive deny-all policy temporarily
- Remove system.run invocation privileges from all but essential administrative accounts
- Implement network-level access controls to restrict access to the node host interface
# Configuration example - Disable node host execution path
# In openclaw configuration file (openclaw.config.yaml)
node_host:
enabled: false
# Alternative: Restrict system.run to deny-all policy
security:
exec_policy: deny-all
system_run:
enabled: false
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
