CVE-2026-32065 Overview
CVE-2026-32065 is an approval-integrity bypass vulnerability affecting OpenClaw versions prior to 2026.2.25. The vulnerability exists in the system.run command execution functionality where rendered command text is used as the approval identity while trimming argv token whitespace, but runtime execution uses raw argv. This discrepancy allows an attacker to craft a trailing-space executable token to execute a different binary than what the approver displayed, enabling unexpected command execution under the OpenClaw runtime user.
Critical Impact
Attackers who can influence command argv and reuse an approval context can execute arbitrary commands different from what was visually approved, bypassing security controls designed to prevent unauthorized command execution.
Affected Products
- OpenClaw versions prior to 2026.2.25
- OpenClaw for Node.js environments
Discovery Timeline
- 2026-03-21 - CVE-2026-32065 published to NVD
- 2026-03-24 - Last updated in NVD database
Technical Details for CVE-2026-32065
Vulnerability Analysis
This vulnerability represents an Authorization Bypass flaw stemming from inconsistent handling of command arguments between the approval display logic and the actual execution logic. The core issue is a Time-of-Check Time-of-Use (TOCTOU) style inconsistency where the approval system normalizes whitespace when generating the approval identity hash, but the execution system uses the raw, unmodified argv array.
When an approval request is submitted, OpenClaw displays the trimmed/normalized command to the approver. However, trailing whitespace in executable tokens is preserved during actual execution. An attacker can exploit this by crafting command arguments with trailing spaces that, when trimmed, appear identical to an already-approved command but actually reference a different binary or path at runtime.
Root Cause
The root cause lies in the mismatch between how command identity is computed for approval purposes versus how commands are executed. The approval system uses normalized (whitespace-trimmed) command text as the approval identity, creating a canonical representation. However, the runtime execution path uses the original raw argv array without this normalization. This creates a semantic gap where visually identical commands can have different runtime behaviors.
Attack Vector
The attack requires network access and the ability to influence command arguments within the OpenClaw system. An attacker must:
- Have low-level privileges to submit commands through the OpenClaw interface
- Identify or obtain an existing approval context that can be reused
- Craft a malicious command with trailing whitespace that normalizes to match an approved command
- Execute the command, which will pass approval validation but execute a different binary
The following patch demonstrates how the fix binds approvals to the raw argv identity:
export type RequestExecApprovalDecisionParams = {
id: string;
command: string;
+ commandArgv?: string[];
cwd: string;
nodeId?: string;
host: "gateway" | "node";
Source: GitHub Commit Update
The second part of the patch ensures the raw argv is registered with the approval request:
const registration = await registerExecApprovalRequestForHost({
approvalId,
command: params.command,
+ commandArgv: argv,
workdir: params.workdir,
host: "node",
nodeId,
Source: GitHub Commit Update
Detection Methods for CVE-2026-32065
Indicators of Compromise
- Commands with trailing whitespace in executable paths or arguments being submitted to system.run
- Approval requests where the displayed command differs from the executed command when comparing raw bytes
- Unexpected binary executions under the OpenClaw runtime user account
- Log entries showing approved commands that don't match subsequent execution logs
Detection Strategies
- Implement logging that captures both the normalized approval identity and the raw argv for comparison
- Monitor for commands containing trailing whitespace characters in executable tokens
- Alert on any execution where the normalized command hash matches an approval but raw argv differs
- Review approval logs for patterns of command reuse that may indicate exploitation attempts
Monitoring Recommendations
- Enable detailed command logging in OpenClaw to capture full argv arrays
- Monitor the OpenClaw runtime user for unexpected process executions
- Implement file integrity monitoring on directories where approved commands typically execute from
- Set up alerts for approval context reuse patterns that may indicate abuse
How to Mitigate CVE-2026-32065
Immediate Actions Required
- Upgrade OpenClaw to version 2026.2.25 or later immediately
- Audit existing approval contexts and revoke any that may have been compromised
- Review recent command execution logs for evidence of exploitation
- Restrict which users can influence command arguments pending upgrade
Patch Information
OpenClaw has released version 2026.2.25 which addresses this vulnerability by binding system.run approvals to the raw argv identity rather than the normalized command text. The fix adds a commandArgv parameter to approval requests, ensuring that approval validation uses the exact same command representation as execution.
For detailed patch information, see the GitHub Commit and the GitHub Security Advisory.
Workarounds
- Implement strict input validation to reject commands with trailing whitespace before they reach the approval system
- Disable approval context reuse functionality if available until patching is complete
- Add a proxy layer that normalizes all command arguments consistently before both approval and execution
- Restrict system.run capabilities to trusted users only until the patch can be applied
# Example: Input sanitization at the application layer
# Strip trailing whitespace from all argv elements before processing
# Note: This is a temporary workaround - patching is the recommended solution
npm update openclaw@2026.2.25
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
