OpenClaw Approval Bypass Vulnerability in System.run Execution

A vulnerability allowing approval bypass in OpenClaw versions prior to 2026.2.26 has been identified. This issue arises in the system.run execution, where attackers can execute commands from unintended filesystem locations. The vulnerability is exploited by rebinding writable parent symlinks in the current working directory after the command execution has been approved. By modifying the symlink path components between the approval and execution stages, an attacker can redirect the command execution to a different location while keeping the visible working directory string unchanged.

Impact

Exploitation of this vulnerability allows for an approval bypass in the system.run execution, enabling commands to be executed from unintended filesystem locations.

Reproduction

To reproduce this vulnerability, first, request approval to execute a command using the system.run.prepare command, ensuring that the command is approved. After approval, but before execution, rebind any writable parent symlinks in the current working directory to point to a different location. This can be done by creating a symlink that points to a desired target and then modifying the symlink's target to redirect the command execution. Once the symlink has been successfully rebinded, the approved command can be executed, which will now run from the unintended location.

Remediation

Users can update to OpenClaw version 2026.2.26 or later, where this vulnerability has been addressed.