OpenClaw Approval Integrity Vulnerability Leads to Code Execution (CVE-2026-32971)
OpenClaw before 2026.3.11 exhibits an approval-integrity vulnerability where attackers can place wrapper binaries to execute local code after operators approve misleading command text, due to the system displaying extracted shell payloads instead of the actual executed arguments.
OpenClaw, a software platform (details unspecified in the source), is vulnerable to an approval-integrity issue (CVE-2026-32971) affecting versions prior to 2026.3.11. This vulnerability resides within the node-host system.run approval process. The system displays extracted shell payloads instead of the actual arguments (argv) that will be executed. An attacker can exploit this by crafting malicious commands using wrapper binaries. By inducing operators to approve what appears to be benign…
Detection coverage 2
Detect Suspicious OpenClaw Command Execution
highDetects suspicious command execution within OpenClaw by monitoring for command lines that contain potentially malicious code.
Detect Suspicious OpenClaw Wrapper Binary Use
mediumDetects the execution of potentially malicious wrapper binaries within OpenClaw's environment.
Detection queries are kept inside the platform. Get full rules →