CVE-2026-32921 Overview
CVE-2026-32921 is an approval bypass vulnerability (TOCTOU/Time-of-Check Time-of-Use race condition) affecting OpenClaw versions prior to 2026.3.8. The vulnerability exists in the system.run function where mutable script operands are not properly bound across the approval and execution phases. This allows attackers with low privileges to obtain approval for script execution, then modify the approved script file before execution occurs, effectively executing different content while maintaining the same approved command shape.
Critical Impact
Attackers can bypass the approval mechanism to execute unauthorized script content, potentially leading to unauthorized actions within the OpenClaw system.
Affected Products
- OpenClaw versions prior to 2026.3.8
- OpenClaw Node.js package (all vulnerable versions)
Discovery Timeline
- 2026-03-31 - CVE-2026-32921 published to NVD
- 2026-04-02 - Last updated in NVD database
Technical Details for CVE-2026-32921
Vulnerability Analysis
This vulnerability is classified under CWE-367 (Time-of-Check Time-of-Use Race Condition). The core issue lies in how OpenClaw's system.run function handles script approval and execution as separate operations without maintaining immutability of the script content between these phases.
When a user requests approval to run a script, the system validates and approves the command based on its current state. However, because the script operand remains mutable after approval, an attacker can modify the script file's contents during the window between approval and execution. The execution phase then runs the modified content while the system believes it is executing the originally approved script.
This design flaw creates a race condition window that can be exploited through network access with low-privilege authentication. The vulnerability affects confidentiality, integrity, and availability to a limited degree, as attackers can execute unintended operations within the scope of the approval system.
Root Cause
The root cause is the failure to bind or snapshot script content at the time of approval. The system.run function references script files by path rather than by content hash or immutable copy. This architectural decision allows the underlying file content to change between the approval check and the actual execution, violating the principle of atomicity that should govern approval-protected operations.
Attack Vector
The attack requires network access and low-privilege authentication to the OpenClaw system. The exploitation flow involves:
- An attacker submits a benign script for approval through system.run
- The approval mechanism validates and approves the script based on its current content
- Before execution occurs, the attacker modifies the approved script file
- When execution proceeds, the system runs the modified (malicious) content
- The approval record shows the original benign command shape, masking the actual executed content
The vulnerability can be exploited without user interaction, making it suitable for automated attack scenarios. The attack complexity is low since the modification window is predictable and the race condition is reliable to trigger.
Detection Methods for CVE-2026-32921
Indicators of Compromise
- Unexpected modifications to script files between approval and execution timestamps
- Discrepancies between approved script content hashes and executed script hashes in audit logs
- Anomalous script execution patterns where approved commands produce unexpected system behavior
Detection Strategies
- Implement file integrity monitoring on scripts subject to the approval workflow
- Enable detailed audit logging that captures both approval-time and execution-time script content
- Monitor for rapid file modification events immediately following approval grants
- Deploy behavioral analysis to detect execution results inconsistent with approved script purposes
Monitoring Recommendations
- Configure alerts for file modification events on approved script directories
- Implement hash-based verification logging at both approval and execution phases
- Monitor OpenClaw application logs for unusual system.run invocation patterns
- Review access patterns for accounts with approval privileges for anomalous activity
How to Mitigate CVE-2026-32921
Immediate Actions Required
- Upgrade OpenClaw to version 2026.3.8 or later immediately
- Review recent system.run approval and execution logs for potential exploitation
- Implement additional access controls on script storage locations as a defense-in-depth measure
- Consider temporarily disabling the system.run approval workflow if upgrade is delayed
Patch Information
The vulnerability has been addressed in OpenClaw version 2026.3.8. Two commits have been released to fix this issue:
For complete details, refer to the GitHub Security Advisory GHSA-8g75-q649-6pv6 and the VulnCheck Security Advisory.
Workarounds
- Restrict write access to script directories used with system.run to prevent unauthorized modifications
- Implement external file integrity monitoring to detect changes to approved scripts before execution
- Add manual content verification steps between approval and execution phases where automated fixes cannot be immediately deployed
- Consider using read-only file systems for approved script storage as a temporary measure
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
