CVE-2026-31997: Openclaw Openclaw RCE Vulnerability

CVE-2026-31997 Overview

OpenClaw versions prior to 2026.3.1 contain a Time-of-Check Time-of-Use (TOCTOU) vulnerability in the system.run approval mechanism. The application fails to pin executable identity for non-path-like argv[0] tokens during system.run approvals, enabling post-approval executable rebind attacks. This weakness allows attackers to modify PATH resolution after approval to execute a different binary than what the operator originally approved, potentially enabling arbitrary command execution on the affected system.

Critical Impact

Attackers can exploit the race condition between approval and execution to substitute approved executables with malicious binaries, bypassing security controls and enabling arbitrary command execution.

Affected Products

• OpenClaw versions prior to 2026.3.1
• OpenClaw for Node.js (all affected versions)
• Systems using OpenClaw system.run approval workflows

Discovery Timeline

• 2026-03-19 - CVE-2026-31997 published to NVD
• 2026-03-19 - Last updated in NVD database

Technical Details for CVE-2026-31997

Vulnerability Analysis

This vulnerability stems from a classic Time-of-Check Time-of-Use (TOCTOU) race condition (CWE-367) in OpenClaw's system.run approval process. When an operator approves a command execution request, OpenClaw verifies the executable at approval time but fails to maintain a binding between the approved identity and the actual executable that runs. For non-path-like argv[0] tokens (commands specified without an absolute path), the application relies on PATH environment variable resolution at execution time rather than locking the executable at approval time.

This design flaw creates a window of opportunity between when an operator approves a command and when that command actually executes. During this window, an attacker with local access can manipulate the PATH environment variable or place a malicious binary in a directory that takes precedence in PATH resolution. When the approved command finally executes, it resolves to the attacker's malicious binary instead of the legitimate executable that was implicitly approved.

Root Cause

The root cause lies in OpenClaw's failure to implement proper executable identity pinning during the approval workflow. When system.run receives approval for a command like python script.py, it stores only the command string rather than resolving and recording the full path to the executable (e.g., /usr/bin/python). This leaves the actual executable resolution to occur at execution time, creating the exploitable TOCTOU window.

Attack Vector

The attack requires local access to the system and leverages the following sequence:

1. A legitimate user requests approval to run a command using a non-path-like token (e.g., git, python, node)
2. An operator reviews and approves the request, trusting the named executable
3. Before execution occurs, the attacker modifies the PATH environment variable or places a malicious binary in a higher-priority PATH directory
4. When OpenClaw executes the approved command, PATH resolution now points to the attacker's malicious binary
5. The malicious binary executes with whatever privileges the system.run process holds

The vulnerability requires user interaction (operator approval) and local access, which limits the attack surface but still presents a significant risk in multi-user environments or systems with shared access.

Detection Methods for CVE-2026-31997

Indicators of Compromise

• Unexpected changes to PATH environment variable in processes running OpenClaw
• New or modified executables appearing in PATH directories shortly before approved command execution
• Discrepancies between approved command names and actual executed binary paths in audit logs
• Unusual process spawning patterns from OpenClaw system.run processes

Detection Strategies

• Monitor for PATH environment variable modifications in OpenClaw process contexts
• Implement file integrity monitoring on directories in the system PATH
• Audit system.run approval logs and correlate with actual execution paths
• Deploy behavioral analysis to detect approved commands executing from unexpected locations

Monitoring Recommendations

• Enable verbose logging for OpenClaw system.run operations to capture both approval and execution details
• Configure alerts for any executable resolution that differs from typical patterns
• Monitor process creation events from OpenClaw processes using endpoint detection tools
• Review OpenClaw audit logs regularly for signs of exploitation attempts

How to Mitigate CVE-2026-31997

Immediate Actions Required

• Upgrade OpenClaw to version 2026.3.1 or later immediately
• Audit recent system.run approvals and executions for any discrepancies
• Restrict local access to systems running vulnerable OpenClaw versions
• Implement additional access controls around PATH-modifiable directories

Patch Information

OpenClaw has released version 2026.3.1 which addresses this vulnerability by implementing proper executable identity pinning at approval time. The fix ensures that when a non-path-like command is approved, OpenClaw resolves and records the full executable path immediately, preventing post-approval rebind attacks.

For detailed patch information and upgrade instructions, refer to the GitHub Security Advisory. Additional technical details are available in the VulnCheck Advisory.

Workarounds

• Use absolute paths for all system.run approvals (e.g., /usr/bin/python instead of python)
• Implement strict PATH controls preventing modification in OpenClaw execution contexts
• Restrict write access to all directories in the system PATH
• Deploy additional monitoring to detect PATH manipulation attempts before patching is possible

# Configuration example: Restrict PATH to trusted directories only
export PATH="/usr/local/bin:/usr/bin:/bin"
chmod 755 /usr/local/bin /usr/bin /bin
# Ensure only root can write to PATH directories