Interpretation Conflict in OpenClaw - CVE-2026-32065
Published: May 1, 2026
Vulnerability identifier: #VU128764
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-32065
CWE-ID: CWE-436
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote user to execute an unexpected command.
The vulnerability exists due to interpretation conflict in the system.run approval identity handling when processing command argv containing a crafted trailing-space executable token. A remote user can supply a crafted command argv and reuse or obtain a matching approval context to execute an unexpected command.
The command may run under the OpenClaw runtime user, and the executed binary can differ from the one shown to the approver.
How to mitigate CVE-2026-32065
Install security update from vendor's website.