← Voltar para CVEs

CVE-2026-32921

MEDIUM

6.3

Descricao

OpenClaw before 2026.3.8 contains an approval bypass vulnerability in system.run where mutable script operands are not bound across approval and execution phases. Attackers can obtain approval for script execution, modify the approved script file before execution, and execute different content while maintaining the same approved command shape.

Detalhes CVE

Pontuacao CVSS v3.16.3

SeveridadeMEDIUM

Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Vetor de ataqueNETWORK

ComplexidadeLOW

Privilegios necessariosLOW

Interacao do usuarioNONE

Publicado3/31/2026

Ultima modificacao4/2/2026

Fontenvd

Avistamentos honeypot0

Produtos afetados

openclaw:openclaw

Fraquezas (CWE)

CWE-367

Referencias

https://github.com/openclaw/openclaw/commit/c76d29208bf6a7f058d2cf582519d28069e42240(disclosure@vulncheck.com)

https://github.com/openclaw/openclaw/commit/cf3a479bd1204f62eef7dd82b4aa328749ae6c91(disclosure@vulncheck.com)

https://github.com/openclaw/openclaw/security/advisories/GHSA-8g75-q649-6pv6(disclosure@vulncheck.com)

https://www.vulncheck.com/advisories/openclaw-script-content-modification-via-mutable-operand-binding-in-system-run(disclosure@vulncheck.com)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.