Platform
nodejs
Component
openclaw
Fixed in
2026.3.11
2026.3.11
CVE-2026-32979 is a high-severity vulnerability affecting the openclaw npm package. It allows for unintended local code execution when node-host system.run approval mode is used. This occurs because OpenClaw may execute different local code than initially approved if the script changes before execution. Affected versions include those less than or equal to the vulnerable release. A fix is available in version 2026.3.11.
This vulnerability poses a significant risk to deployments utilizing openclaw's node-host system.run approval mode. An attacker could potentially craft a benign local script that, upon approval, triggers the execution of malicious code. This is achieved by manipulating the script between the approval planning stage and the actual execution phase. The attacker gains the ability to execute code with the privileges of the OpenClaw runtime user, potentially leading to data breaches, system compromise, or further exploitation. The impact is particularly severe in environments where system.run is used to execute untrusted code or scripts from external sources.
This vulnerability was publicly disclosed on March 13, 2026. Currently, there are no known active campaigns exploiting this specific CVE. Public proof-of-concept (POC) code has not been widely released, but the potential for exploitation exists given the nature of the vulnerability. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-32979 is to upgrade to version 2026.3.11 or later. If upgrading immediately is not feasible, consider temporarily disabling the system.run approval mode, which will prevent the vulnerable code execution path. Alternatively, implement strict input validation and sanitization for any scripts used with system.run to minimize the risk of malicious code injection. Regularly review and audit OpenClaw configurations to ensure adherence to security best practices. After upgrading, confirm the fix by attempting to execute a script with a known vulnerability and verifying that the intended behavior is enforced.
Upgrade OpenClaw to version 2026.3.11 or later. This corrects the approval integrity vulnerability that allows for the execution of rewritten local code.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32979 is a high-severity vulnerability in the openclaw npm package that allows unintended local code execution when using node-host system.run approval mode.
You are affected if you are using openclaw versions less than or equal to the vulnerable release. Check your installed version with npm list openclaw.
Upgrade to version 2026.3.11 or later. If immediate upgrade is not possible, disable system.run approval mode or implement strict input validation.
Currently, there are no known active campaigns exploiting this specific CVE, but the potential for exploitation exists.
Refer to the openclaw project's official release notes and security advisories on their GitHub repository or npm package page.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.