CVE-2026-32043

low-risk
Published 2026-03-21

OpenClaw versions prior to 2026.2.25 contain a time-of-check-time-of-use vulnerability in approval-bound system.run execution where the cwd parameter is validated at approval time but resolved at execution time. Attackers can retarget a symlinked cwd between approval and execution to bypass command execution restrictions and execute arbitrary commands on node hosts.

Do I need to act?

-
0.01% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.5/10 Medium
LOCAL / HIGH complexity

Affected Products (1)

Affected Vendors

Openclaw

References (3)

Patch https://github.com/openclaw/openclaw/commit/f789f880c934caa8be25b38832f27f90f379...
Vendor Advisory https://github.com/openclaw/openclaw/security/advisories/GHSA-mwcg-wfq3-4gjc
Third Party Advisory https://www.vulncheck.com/advisories/openclaw-time-of-check-time-of-use-via-muta...
22
/ 100
low-risk
Severity 17/34 · Moderate
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal