CVE-2026-32978

HIGH 8.0

OpenClaw < 2026.3.11 - Approval Bypass via Unrecognized Script Runners

CVSS Score

8.0

EPSS Score

0.0%

EPSS Percentile

10th

OpenClaw before 2026.3.11 contains an approval integrity vulnerability where system.run approvals fail to bind mutable file operands for certain script runners like tsx and jiti. Attackers can obtain approval for benign script commands, rewrite referenced scripts on disk, and execute modified code under the approved run context.

CWE	CWE-863
Vendor	openclaw
Product	openclaw
Published	Mar 29, 2026
Last Updated	Mar 30, 2026

Stay Ahead of the Next One

Get instant alerts for openclaw openclaw

Be the first to know when new high vulnerabilities affecting openclaw openclaw are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

OpenClaw / OpenClaw

0 < 2026.3.11

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/openclaw/openclaw/security/advisories/GHSA-qc36-x95h-7j53 vulncheck.com: https://www.vulncheck.com/advisories/openclaw-approval-bypass-via-unrecognized-script-runners

Credits

🔍 tdjackey