CVE-2026-29608

Description

### Summary In `[email protected]`, node `system.run` approval-path hardening rewrote wrapper command argv in a way that changed execution semantics. A command shown/approved as a shell payload (for example `echo SAFE`) could execute a different local script when wrapper argv were rewritten. ### Affected Packages / Versions - Package: `openclaw` (npm) - Affected: `2026.3.1` (latest published npm version as of March 2, 2026) - Fixed release: `2026.3.2` (released) ### Technical Details Root cause was in node-host approval hardening for `system.run`: - `src/node-host/invoke-system-run-plan.ts` rewrote `argv[0]` to the resolved executable. - Wrapper resolution unwrapped dispatch wrappers, so input like `['env','sh','-c','echo SAFE']` resolved executable `sh`. - The approved plan could become `['/bin/sh','sh','-c','echo SAFE']` while approval text remained `echo SAFE`. That rewrite changed runtime behavior: `/bin/sh` interprets the extra `sh` positional argument as a script path, enabling execution of a local `./sh` file from approved `cwd` instead of the approved payload text. ### Impact Approval-integrity break in `host=node` execution flow: operator-visible command text and executed behavior could diverge. Exploit preconditions: - attacker can influence wrapper argv and place a local file in approved working directory, - operator grants approval for the displayed command. ### Fix Commit(s) - `dded569626b0d8e7bdab10b5e7528b6caf73a0f1` ### Fixed Version - Patched in `[email protected]`.

How to fix CVE-2026-29608

To remediate CVE-2026-29608, upgrade the affected package to a fixed version below.

• —upgrade to 2026.3.2 or later

Is CVE-2026-29608 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 2026.3.1, < 2026.3.2