CVE-2026-32978 Overview
OpenClaw before version 2026.3.11 contains an approval integrity vulnerability (CWE-863: Incorrect Authorization) where system.run approvals fail to bind mutable file operands for certain script runners like tsx and jiti. This authorization bypass allows attackers to obtain approval for benign script commands, subsequently rewrite referenced scripts on disk, and execute modified code under the approved run context.
Critical Impact
This vulnerability enables attackers to bypass the approval system designed to authorize script execution, allowing arbitrary code execution by manipulating approved script files after initial authorization is granted.
Affected Products
- OpenClaw versions prior to 2026.3.11
- OpenClaw Node.js package (cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*)
Discovery Timeline
- 2026-03-29 - CVE-2026-32978 published to NVD
- 2026-03-30 - Last updated in NVD database
Technical Details for CVE-2026-32978
Vulnerability Analysis
This vulnerability exists in OpenClaw's approval integrity mechanism for system.run operations. The core issue stems from how the approval system handles file operands when certain script runners are invoked. When users execute scripts through runners like tsx or jiti, the approval mechanism fails to cryptographically bind the file contents to the approval token. This creates a time-of-check to time-of-use (TOCTOU) gap that attackers can exploit.
The authorization bypass allows an attacker to first obtain approval for executing a benign, innocuous script. Once approval is granted, the attacker can modify the script file on disk with malicious code. When the approved command is executed, the malicious code runs with the permissions and context of the original approval, effectively bypassing the security control entirely.
Root Cause
The root cause is an incorrect authorization implementation (CWE-863) in the system.run approval workflow. The approval system validates the command and script path at approval time but does not bind the actual file contents or maintain a hash of the approved script. For script runners like tsx and jiti, the system fails to track that the file operand is mutable, allowing post-approval modifications to go undetected.
Attack Vector
The attack is network-accessible and requires low privileges with some user interaction. An attacker with access to the file system where approved scripts reside can exploit this vulnerability through the following approach:
- Submit a benign script for system.run approval using a vulnerable script runner (tsx, jiti)
- Obtain approval from an authorized user or automated approval system
- Modify the approved script file on disk with malicious payload
- Execute the previously approved command, which now runs the modified malicious code
- Malicious code executes within the trusted approval context, bypassing security controls
The vulnerability has implications beyond the immediate system, potentially impacting connected systems and services due to the elevated trust context of approved operations.
Detection Methods for CVE-2026-32978
Indicators of Compromise
- Unexpected modifications to script files that have been previously approved for system.run execution
- Script file timestamps showing changes between approval time and execution time
- Anomalous execution patterns from tsx or jiti script runners
- Audit logs showing approved commands executing with unexpected behavior or outcomes
Detection Strategies
- Implement file integrity monitoring (FIM) on directories containing approved scripts
- Monitor for changes to scripts between approval grant and command execution
- Review system.run audit logs for patterns of approval followed by rapid file modifications
- Detect unusual process spawning from tsx or jiti runners that deviate from expected behavior
Monitoring Recommendations
- Enable comprehensive logging for all system.run approval and execution events
- Configure alerting on file modifications in script directories with active approvals
- Implement hash-based verification of script contents at execution time as an additional layer
- Establish baseline behavior for script runners and alert on deviations
How to Mitigate CVE-2026-32978
Immediate Actions Required
- Upgrade OpenClaw to version 2026.3.11 or later immediately
- Audit existing approvals for scripts using tsx, jiti, or similar script runners
- Revoke and re-issue approvals after upgrading to ensure proper binding
- Restrict file system write access to directories containing approved scripts
Patch Information
OpenClaw has released version 2026.3.11 which addresses this approval integrity vulnerability. The patch ensures that file operands are properly bound during the approval process, preventing post-approval modifications from being executed under the original approval context. Refer to the GitHub Security Advisory for complete patch details and the VulnCheck Advisory for additional technical analysis.
Workarounds
- Implement strict file system permissions to prevent unauthorized modifications to approved script files
- Use immutable file systems or read-only mounts for directories containing approved scripts
- Deploy file integrity monitoring to detect and alert on any script modifications
- Consider disabling tsx and jiti script runners until the patch can be applied
- Implement manual verification workflows requiring re-approval if script files change
# Lock down permissions on script directories
chmod 755 /path/to/approved/scripts
chown root:root /path/to/approved/scripts/*.ts
# Enable file integrity monitoring (example using AIDE)
aide --init
aide --check
# Consider making script directory read-only
mount -o remount,ro /path/to/approved/scripts
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
