OpenClaw Approval-Integrity Bypass Vulnerability in system.run Command Execution

A vulnerability exists in OpenClaw versions prior to 2026.2.25, allowing for an approval-integrity bypass in the system.run command execution. The issue arises because the rendered command text is used as the approval identity while trimming whitespace from the argv tokens. However, the actual execution uses the raw argv, enabling an attacker to craft a trailing-space executable token that executes a different binary than what was displayed during the approval process. This vulnerability can lead to unexpected command execution under the OpenClaw runtime user, particularly when the attacker can influence the command argv and reuse an approval context.

Impact

Exploiting this vulnerability can bypass approval integrity, leading to unauthorized command execution under the OpenClaw runtime user.

Reproduction

To reproduce this vulnerability, create a command that includes a trailing space in the executable token. When the command is submitted for approval, the trimmed version will be displayed. However, during execution, the raw argv will be used, allowing the execution of a different binary than what was approved. This can be done by influencing the command argv and reusing an approval context that matches the crafted command.

Remediation

Users can update to OpenClaw version 2026.2.25 or later to address this vulnerability.