CVE-2026-26325
Published: 19 February 2026
Summary
CVE-2026-26325 is a high-severity Improper Access Control (CWE-284) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked at the 10.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other AI Platforms.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
The access control policy and procedures directly mandate and enforce proper access control mechanisms across the organization.
Device lock enforces restricted access until re-authentication, directly reducing unauthorized use of active sessions.
Supervision and review of access control activities directly detects and remediates improper access configurations or usages.
Explicitly identifying and documenting actions permitted without identification or authentication enforces proper access control boundaries by defining justified exceptions.
By automatically labeling outputs with security attributes, the control supports attribute-based enforcement and reduces exploitability of improper access control weaknesses.
Associating and retaining security attributes with data directly supports enforcement of access control decisions across storage, processing, and transmission.
Requiring prior authorization for each remote access type prevents improper access control over remote connections.
Requiring authorization of wireless access before allowing connections enforces proper access control for this access method.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly enables arbitrary command execution via parameter mismatch bypass of allowlist/approval controls in system.run (T1059); this is achieved through exploitation of the public-facing AI assistant application over the network (T1190) resulting in unauthorized high-impact access equivalent to privilege escalation (T1068).
NVD Description
OpenClaw is a personal AI assistant. Prior to version 2026.2.14, a mismatch between `rawCommand` and `command[]` in the node host `system.run` handler could cause allowlist/approval evaluation to be performed on one command while executing a different argv. This only impacts…
more
deployments that use the node host / companion node execution path (`system.run` on a node), enable allowlist-based exec policy (`security=allowlist`) with approval prompting driven by allowlist misses (for example `ask=on-miss`), allow an attacker to invoke `system.run`. Default/non-node configurations are not affected. Version 2026.2.14 enforces `rawCommand`/`command[]` consistency (gateway fail-fast + node host validation).
Deeper analysisAI
CVE-2026-26325 affects OpenClaw, a personal AI assistant, in versions prior to 2026.2.14. The vulnerability stems from a mismatch between the `rawCommand` and `command[]` parameters in the node host `system.run` handler, which causes allowlist or approval evaluation to be performed on one command while a different argument vector (argv) is executed. This issue is limited to deployments using the node host or companion node execution path for `system.run`, with allowlist-based execution policy enabled (`security=allowlist`) and approval prompting on allowlist misses (e.g., `ask=on-miss`). Default and non-node configurations are unaffected. The vulnerability is classified under CWE-284 (Improper Access Control) with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
An attacker requires high privileges (PR:H) to exploit this vulnerability over the network with low complexity and no user interaction. In affected configurations, a privileged adversary who can invoke `system.run` could supply a benign `rawCommand` that passes allowlist checks or approval prompts, while providing a malicious `command[]` argv that executes arbitrary code. This bypasses security controls, potentially granting high-impact unauthorized access to confidentiality, integrity, and availability on the host system.
The OpenClaw security advisory (GHSA-h3f9-mjwj-w476), release notes for v2026.2.14, and fixing commit (cb3290fca32593956638f161d9776266b90ab891) recommend upgrading to version 2026.2.14, which enforces consistency between `rawCommand` and `command[]` through gateway fail-fast checks and node host validation. No additional workarounds are specified for prior versions.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai