{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26325", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-13T16:27:51.808Z", "datePublished": "2026-02-19T22:53:17.545Z", "dateUpdated": "2026-02-20T15:39:41.148Z"}, "containers": {"cna": {"title": "OpenClaw Node host system.run rawCommand/command mismatch can bypass allowlist/approvals", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h3f9-mjwj-w476", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h3f9-mjwj-w476"}, {"name": "https://github.com/openclaw/openclaw/commit/cb3290fca32593956638f161d9776266b90ab891", "tags": ["x_refsource_MISC"], "url": "https://github.com/openclaw/openclaw/commit/cb3290fca32593956638f161d9776266b90ab891"}, {"name": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14", "tags": ["x_refsource_MISC"], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14"}], "affected": [{"vendor": "openclaw", "product": "openclaw", "versions": [{"version": "< 2026.2.14", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-19T22:53:17.545Z"}, "descriptions": [{"lang": "en", "value": "OpenClaw is a personal AI assistant. Prior to version 2026.2.14, a mismatch between `rawCommand` and `command[]` in the node host `system.run` handler could cause allowlist/approval evaluation to be performed on one command while executing a different argv. This only impacts deployments that use the node host / companion node execution path (`system.run` on a node), enable allowlist-based exec policy (`security=allowlist`) with approval prompting driven by allowlist misses (for example `ask=on-miss`), allow an attacker to invoke `system.run`. Default/non-node configurations are not affected. Version 2026.2.14 enforces `rawCommand`/`command[]` consistency (gateway fail-fast + node host validation)."}], "source": {"advisory": "GHSA-h3f9-mjwj-w476", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-20T15:29:39.623841Z", "id": "CVE-2026-26325", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T15:39:41.148Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26325", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-20T15:29:39.623841Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T15:29:41.442Z"}}], "cna": {"title": "OpenClaw Node host system.run rawCommand/command mismatch can bypass allowlist/approvals", "source": {"advisory": "GHSA-h3f9-mjwj-w476", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "openclaw", "product": "openclaw", "versions": [{"status": "affected", "version": "< 2026.2.14"}]}], "references": [{"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h3f9-mjwj-w476", "name": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h3f9-mjwj-w476", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/openclaw/openclaw/commit/cb3290fca32593956638f161d9776266b90ab891", "name": "https://github.com/openclaw/openclaw/commit/cb3290fca32593956638f161d9776266b90ab891", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14", "name": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenClaw is a personal AI assistant. Prior to version 2026.2.14, a mismatch between `rawCommand` and `command[]` in the node host `system.run` handler could cause allowlist/approval evaluation to be performed on one command while executing a different argv. This only impacts deployments that use the node host / companion node execution path (`system.run` on a node), enable allowlist-based exec policy (`security=allowlist`) with approval prompting driven by allowlist misses (for example `ask=on-miss`), allow an attacker to invoke `system.run`. Default/non-node configurations are not affected. Version 2026.2.14 enforces `rawCommand`/`command[]` consistency (gateway fail-fast + node host validation)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-19T22:53:17.545Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26325", "state": "PUBLISHED", "dateUpdated": "2026-02-20T15:39:41.148Z", "dateReserved": "2026-02-13T16:27:51.808Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-19T22:53:17.545Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "0F3079A3-9FBD-4E87-821D-5CAF0622C555", "versionEndExcluding": "2026.2.14", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenClaw is a personal AI assistant. Prior to version 2026.2.14, a mismatch between `rawCommand` and `command[]` in the node host `system.run` handler could cause allowlist/approval evaluation to be performed on one command while executing a different argv. This only impacts deployments that use the node host / companion node execution path (`system.run` on a node), enable allowlist-based exec policy (`security=allowlist`) with approval prompting driven by allowlist misses (for example `ask=on-miss`), allow an attacker to invoke `system.run`. Default/non-node configurations are not affected. Version 2026.2.14 enforces `rawCommand`/`command[]` consistency (gateway fail-fast + node host validation)."}, {"lang": "es", "value": "OpenClaw es un asistente personal de IA. Antes de la versi\u00f3n 2026.2.14, una inconsistencia entre `rawCommand` y `command[]` en el gestor `system.run` del host del nodo podr\u00eda causar que la evaluaci\u00f3n de la lista de permitidos/aprobaci\u00f3n se realizara sobre un comando mientras se ejecutaba un argv diferente. Esto solo afecta a las implementaciones que utilizan la ruta de ejecuci\u00f3n del host del nodo / nodo compa\u00f1ero (`system.run` en un nodo), habilitan la pol\u00edtica de ejecuci\u00f3n basada en lista de permitidos (`security=allowlist`) con solicitudes de aprobaci\u00f3n impulsadas por fallos en la lista de permitidos (por ejemplo, `ask=on-miss`), y permiten a un atacante invocar `system.run`. Las configuraciones predeterminadas/no de nodo no se ven afectadas. La versi\u00f3n 2026.2.14 impone la consistencia de `rawCommand`/`command[]` (validaci\u00f3n r\u00e1pida de fallos en la pasarela + validaci\u00f3n del host del nodo)."}], "id": "CVE-2026-26325", "lastModified": "2026-02-23T13:47:10.610", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-19T23:16:25.800", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/openclaw/openclaw/commit/cb3290fca32593956638f161d9776266b90ab891"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h3f9-mjwj-w476"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2026.2.14)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openclaw", "source": "cna", "vendor": "openclaw"}, "product": "openclaw", "vendor": "openclaw"}], "analysis": {"en": {"generated_at": "2026-04-17T17:47:46.203468+00:00", "value": {"mitigation_remediation": ["Upgrade to OpenClaw version 2026.2.14 or later, where rawCommand and command[] checks are enforced to fail fast and host validation is added.", "Reconfigure the system to disable or restrict the system.run interface for untrusted or non\u2011node hosts, and ensure allowlist/security=allowlist policies are only applied where appropriate.", "Audit existing deployments for mismatched rawCommand and command[] usage, and validate that all configurations use the same array when invoking system.run."], "summary": {"action": "Update", "impact": "BYPASS OF EXECUTION ALLOWLIST/APPROVALS LEADING TO POTENTIAL ARBITRARY COMMAND EXECUTION"}, "threat_synthesis": {"affected_systems": "All OpenClaw installations older than version 2026.2.14 that use the node host companion execution path and have security=allowlist enabled with ask=on-miss approval prompting. Configurations that do not use the node host or do not enable allowlist-based exec policy are not affected. The flaw appears in the openclaw:openclaw product for Node.js environments.", "description_and_impact": "A discrepancy between rawCommand and command[] variables in the node host system.run handler allows the system to perform allowlist or approval checks against one command while executing a different argv array. This flaw can enable an attacker who can invoke system.run to bypass defined security policies and execute arbitrary code, compromising system confidentiality, integrity, and availability.", "risk_and_exploitability": "The CVSS score is 7.2, indicating a moderate to high severity vulnerability. The EPSS score is less than 1 percent, suggesting a very low likelihood of exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to be able to trigger system.run, typically through exposed APIs or local access. Once triggered, the attacker can circumvent policy checks and launch arbitrary commands."}}}}, "created": "2026-02-20T09:53:35.666781+00:00", "updated": "2026-04-17T18:00:12.158812+00:00", "vendors": ["openclaw", "openclaw$PRODUCT$openclaw"]}