Vulnerability Description
OpenClaw versions prior to 2026.2.26 contain an approval context-binding weakness in system.run execution flows with host=node that allows reuse of previously approved requests with modified environment variables. Attackers with access to an approval id can exploit this by reusing an approval with changed env input, bypassing execution-integrity controls in approval-enabled workflows.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openclaw | Openclaw | < 2026.2.26 |
Related Weaknesses (CWE)
References
- https://github.com/openclaw/openclaw/commit/10481097f8e6dd0346db9be0b5f27570e1bdPatch
- https://github.com/openclaw/openclaw/security/advisories/GHSA-hjvp-qhm6-wrh2Vendor Advisory
- https://www.vulncheck.com/advisories/openclaw-approval-context-binding-weakness-Third Party Advisory
FAQ
What is CVE-2026-32058?
CVE-2026-32058 is a vulnerability with a CVSS score of 2.6 (LOW). OpenClaw versions prior to 2026.2.26 contain an approval context-binding weakness in system.run execution flows with host=node that allows reuse of previously approved requests with modified environme...
How severe is CVE-2026-32058?
CVE-2026-32058 has been rated LOW with a CVSS base score of 2.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-32058?
Check the references section above for vendor advisories and patch information. Affected products include: Openclaw Openclaw.