Platform
nodejs
Component
openclaw
Fixed in
2026.3.11
2026.3.11
CVE-2026-32978 is a remote code execution (RCE) vulnerability affecting openclaw, a Node.js host system. This flaw arises from insufficient validation of file operands within the system.run approval process, enabling attackers to rewrite scripts and execute malicious code under an approved context. Affected versions are those prior to 2026.3.11, and a fix has been released.
The impact of CVE-2026-32978 is significant, particularly for deployments that rely on node-host system.run approvals for script integrity. An attacker can obtain approval for a seemingly benign script-runner command. Subsequently, they can modify the referenced script file on disk. Crucially, when the approved command is executed, the modified, malicious code will run under the privileges of the OpenClaw runtime user. This represents a serious compromise, potentially granting attackers control over the host system. The blast radius extends to any sensitive data or services accessible by the OpenClaw runtime user.
CVE-2026-32978 was publicly disclosed on 2026-03-13. The vulnerability's exploitation context is currently unclear, and there are no known public proof-of-concept exploits. Its inclusion in the KEV catalog is pending. The CVSS score of 8 (HIGH) indicates a significant potential for exploitation if a suitable attack vector is developed.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-32978 is to upgrade openclaw to version 2026.3.11 or later. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider implementing stricter file access controls on the scripts used by system.run. Review and audit all existing system.run approval configurations to ensure they adhere to the principle of least privilege. Implement monitoring to detect unexpected file modifications within the script directories. After upgrading, verify the fix by attempting to execute a script with a modified file and confirming that the modified code does not execute.
Update OpenClaw to version 2026.3.11 or later. This version fixes the approval bypass vulnerability by binding mutable file operands for certain script runners.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32978 is a remote code execution vulnerability in openclaw affecting versions before 2026.3.11. It allows attackers to execute modified scripts after approval, potentially compromising the host system.
You are affected if you are using openclaw versions prior to 2026.3.11 and utilize the system.run approval feature for script execution.
Upgrade openclaw to version 2026.3.11 or later. If immediate upgrade is not possible, implement stricter file access controls and monitor script directories.
Currently, there are no confirmed reports of active exploitation, but the vulnerability's high severity warrants immediate attention and mitigation.
Refer to the openclaw project's official website or security advisory page for the most up-to-date information and announcements regarding CVE-2026-32978.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.