Cyber Resilience

CVE-2026-26325

High

Published: 19 February 2026

Published
19 February 2026
Modified
23 February 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0003 10.9th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26325 is a high-severity Improper Access Control (CWE-284) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked at the 10.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-26325 affects OpenClaw, a personal AI assistant, in versions prior to 2026.2.14. The vulnerability stems from a mismatch between the `rawCommand` and `command[]` parameters in the node host `system.run` handler, which causes allowlist or approval evaluation to be performed on one command while a different argument vector (argv) is executed. This issue is limited to deployments using the node host or companion node execution path for `system.run`, with allowlist-based execution policy enabled (`security=allowlist`) and approval prompting on allowlist misses (e.g., `ask=on-miss`). Default and non-node configurations are unaffected. The vulnerability is classified under CWE-284 (Improper Access Control) with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

An attacker requires high privileges (PR:H) to exploit this vulnerability over the network with low complexity and no user interaction. In affected configurations, a privileged adversary who can invoke `system.run` could supply a benign `rawCommand` that passes allowlist checks or approval prompts, while providing a malicious `command[]` argv that executes arbitrary code. This bypasses security controls, potentially granting high-impact unauthorized access to confidentiality, integrity, and availability on the host system.

The OpenClaw security advisory (GHSA-h3f9-mjwj-w476), release notes for v2026.2.14, and fixing commit (cb3290fca32593956638f161d9776266b90ab891) recommend upgrading to version 2026.2.14, which enforces consistency between `rawCommand` and `command[]` through gateway fail-fast checks and node host validation. No additional workarounds are specified for prior versions.

EU & UK References

Vulnerability details

OpenClaw is a personal AI assistant. Prior to version 2026.2.14, a mismatch between `rawCommand` and `command[]` in the node host `system.run` handler could cause allowlist/approval evaluation to be performed on one command while executing a different argv. This only impacts…

more

deployments that use the node host / companion node execution path (`system.run` on a node), enable allowlist-based exec policy (`security=allowlist`) with approval prompting driven by allowlist misses (for example `ask=on-miss`), allow an attacker to invoke `system.run`. Default/non-node configurations are not affected. Version 2026.2.14 enforces `rawCommand`/`command[]` consistency (gateway fail-fast + node host validation).

CWE(s)

AI Security AnalysisAI

AI Category
Enterprise AI Assistants
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Vulnerability directly enables arbitrary command execution via parameter mismatch bypass of allowlist/approval controls in system.run (T1059); this is achieved through exploitation of the public-facing AI assistant application over the network (T1190) resulting in unauthorized high-impact access equivalent to privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-32038Same product: Openclaw Openclaw
CVE-2026-26316Same product: Openclaw Openclaw
CVE-2026-25593Same product: Openclaw Openclaw
CVE-2026-28473Same product: Openclaw Openclaw
CVE-2026-30741Same product: Openclaw Openclaw
CVE-2026-26319Same product: Openclaw Openclaw
CVE-2026-25474Same product: Openclaw Openclaw
CVE-2026-32302Same product: Openclaw Openclaw
CVE-2026-27002Same product: Openclaw Openclaw
CVE-2026-28451Same product: Openclaw Openclaw

Affected Assets

openclaw
openclaw
≤ 2026.2.14

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces the allowlist/approval policy on the actual argv that will be executed rather than a mismatched rawCommand.

prevent

Validates consistency between rawCommand and command[] at the gateway and node host before any execution decision is made.

prevent

Restricts the set of permitted commands that system.run may invoke, reducing the impact surface even if the allowlist check is bypassed.

References