CVE-2026-26325
Published: 19 February 2026
Summary
CVE-2026-26325 is a high-severity Improper Access Control (CWE-284) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked at the 10.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-26325 affects OpenClaw, a personal AI assistant, in versions prior to 2026.2.14. The vulnerability stems from a mismatch between the `rawCommand` and `command[]` parameters in the node host `system.run` handler, which causes allowlist or approval evaluation to be performed on one command while a different argument vector (argv) is executed. This issue is limited to deployments using the node host or companion node execution path for `system.run`, with allowlist-based execution policy enabled (`security=allowlist`) and approval prompting on allowlist misses (e.g., `ask=on-miss`). Default and non-node configurations are unaffected. The vulnerability is classified under CWE-284 (Improper Access Control) with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
An attacker requires high privileges (PR:H) to exploit this vulnerability over the network with low complexity and no user interaction. In affected configurations, a privileged adversary who can invoke `system.run` could supply a benign `rawCommand` that passes allowlist checks or approval prompts, while providing a malicious `command[]` argv that executes arbitrary code. This bypasses security controls, potentially granting high-impact unauthorized access to confidentiality, integrity, and availability on the host system.
The OpenClaw security advisory (GHSA-h3f9-mjwj-w476), release notes for v2026.2.14, and fixing commit (cb3290fca32593956638f161d9776266b90ab891) recommend upgrading to version 2026.2.14, which enforces consistency between `rawCommand` and `command[]` through gateway fail-fast checks and node host validation. No additional workarounds are specified for prior versions.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8423
Vulnerability details
OpenClaw is a personal AI assistant. Prior to version 2026.2.14, a mismatch between `rawCommand` and `command[]` in the node host `system.run` handler could cause allowlist/approval evaluation to be performed on one command while executing a different argv. This only impacts…
more
deployments that use the node host / companion node execution path (`system.run` on a node), enable allowlist-based exec policy (`security=allowlist`) with approval prompting driven by allowlist misses (for example `ask=on-miss`), allow an attacker to invoke `system.run`. Default/non-node configurations are not affected. Version 2026.2.14 enforces `rawCommand`/`command[]` consistency (gateway fail-fast + node host validation).
- CWE(s)
AI Security AnalysisAI
- AI Category
- Enterprise AI Assistants
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly enables arbitrary command execution via parameter mismatch bypass of allowlist/approval controls in system.run (T1059); this is achieved through exploitation of the public-facing AI assistant application over the network (T1190) resulting in unauthorized high-impact access equivalent to privilege escalation (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces the allowlist/approval policy on the actual argv that will be executed rather than a mismatched rawCommand.
Validates consistency between rawCommand and command[] at the gateway and node host before any execution decision is made.
Restricts the set of permitted commands that system.run may invoke, reducing the impact surface even if the allowlist check is bypassed.