Nixpkgs security tracker

Untriaged

Permalink CVE-2026-29608

6.7 MEDIUM

CVSS version: 3.1
Attack vector (AV): LOCAL
Attack complexity (AC): HIGH
Privileges required (PR): LOW
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 3 weeks, 5 days ago

OpenClaw 2026.3.1 < 2026.3.2 - Approval Integrity Bypass via system.run argv Rewriting

OpenClaw 2026.3.1 contains an approval integrity vulnerability in system.run node-host execution where argv rewriting changes command semantics. Attackers can place malicious local scripts in the working directory to execute unintended code despite operator approval of different command text.

References

GitHub Security Advisory (GHSA-h3rm-6x7g-882f) third-party-advisory
Patch Commit patch
VulnCheck Advisory: OpenClaw 2026.3.1 < 2026.3.2 - Approval Integrity Bypass via system.run argv Rewriting third-party-advisory

Affected products

OpenClaw

<2026.3.2

Matching in nixpkgs

pkgs.openclaw

Self-hosted, open-source AI assistant/agent

nixos-unstable 2026.3.12
- nixpkgs-unstable 2026.3.12
- nixos-unstable-small 2026.3.12

Package maintainers

@chrisportela Chris Portela <chris@chrisportela.com>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.openclaw

Package maintainers