GHSA-HWPQ-RRPF-PGCQ: GHSA-HWPQ-RRPF-PGCQ: Execution Approval Bypass in OpenClaw system.run

Source: Dev.to

Vulnerability Overview

• Vulnerability ID: GHSA-HWPQ-RRPF-PGCQ
• CVSS Score: 7.2 (High)
• Published: 2026-03-02
• CWE: CWE-290 (Improper Authentication)
• Attack Vector: Network (Agent Instruction)
• Impact: Arbitrary Code Execution
• Exploit Status: PoC Available
• Vendor: OpenClaw

A critical vulnerability in the OpenClaw AI assistant allows attackers to bypass execution‑approval mechanisms. A discrepancy between the command displayed to the user and the command actually executed enables an attacker to trick a user into approving a malicious binary under the guise of a benign command. The issue affects the system.run tool and can lead to arbitrary code execution if the attacker can influence the AI agent’s tool calls.

Affected Versions

OpenClaw versions prior to 2026.2.25 contain a UI spoofing vulnerability in the system.run approval flow. The vulnerability can be triggered by using binaries with trailing whitespace in their names, while the UI shows a clean, benign command for approval.

• Package: openclaw (npm)
• Affected range: < 2026.2.25
• Fixed in: 2026.2.25

Patch Details

The fix introduces strict argument‑vector identity binding for system.run approval.

@@ -45,7 +45,15 @@
-    if (commandString === approvedString) {
+    if (requestedArgv) {
+      if (requestedArgv.length !== argv.length) return false;
+      for (let i = 0; i < requestedArgv.length; i++) {
+        if (requestedArgv[i] !== argv[i]) return false;
+      }
+    }

Remediation Steps

1. Stop the running OpenClaw instance.

2. Upgrade to the patched version:

   npm install -g openclaw@latest

3. Verify the installation:

   openclaw --version
   # Should report 2026.2.25 or higher

4. Restart the AI agent.

5. Audit existing system.run logs for executions involving tokens with trailing or unusual whitespace.

6. Restrict the AI agent’s write access to directories in the system PATH to prevent staging of spoofed binaries.

References

• GitHub Advisory: GHSA-HWPQ-RRPF-PGCQ – includes PoC methodology.
• OpenClaw Security Policy: https://github.com/openclaw/openclaw/security/policy
• Full advisory report with interactive diagrams and exploit analysis is available on the OpenClaw website.