CVE-2026-32058 LOW

CVE-2026-32058: OpenClaw < 2026.2.26 - Approval Context-Binding Weakness in system.run via host=node

Vendor Openclaw
Product OpenClaw
Weakness CWE-863 · Incorrect authorization
Published March 21, 2026
Last update March 23, 2026

CVSS base score

2.0/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OpenClaw versions prior to 2026.2.26 contain an approval context-binding weakness in system.run execution flows with host=node that allows reuse of previously approved requests with modified environment variables. Attackers with access to an approval id can exploit this by reusing an approval with changed env input, bypassing execution-integrity controls in approval-enabled workflows.

Key dates

02Disclosure timeline

March 21, 2026 CVE published
March 23, 2026 Record updated