CVE-2026-29608

Sažetak

OpenClaw 2026.3.1 contains an approval integrity vulnerability in system.run node-host execution where argv rewriting changes command semantics. Attackers can place malicious local scripts in the working directory to execute unintended code despite operator approval of different command text.

Reference

https://github.com/openclaw/openclaw/commit/dded569626b0d8e7bdab10b5e7528b6caf73a0f1
https://github.com/openclaw/openclaw/security/advisories/GHSA-h3rm-6x7g-882f
https://www.vulncheck.com/advisories/openclaw-approval-integrity-bypass-via-system-run-argv-rewriting

CVSS

Base:	6.7
Impact:	5.9
Exploitability:	0.8

Pristup

Vektor	Složenost	Autentikacija
LOCAL	HIGH	LOW

Impact

Povjerljivost	Cjelovitost	Dostupnost
HIGH	HIGH	HIGH

CVSS vektor

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Zadnje važnije ažuriranje

19-03-2026 - 02:16

Objavljeno

19-03-2026 - 02:16