{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-09T13:35:46.533","vulnerabilities":[{"cve":{"id":"CVE-2026-26325","sourceIdentifier":"security-advisories@github.com","published":"2026-02-19T23:16:25.800","lastModified":"2026-02-23T13:47:10.610","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"OpenClaw is a personal AI assistant. Prior to version 2026.2.14, a mismatch between `rawCommand` and `command[]` in the node host `system.run` handler could cause allowlist/approval evaluation to be performed on one command while executing a different argv. This only impacts deployments that use the node host / companion node execution path (`system.run` on a node), enable allowlist-based exec policy (`security=allowlist`) with approval prompting driven by allowlist misses (for example `ask=on-miss`), allow an attacker to invoke `system.run`. Default/non-node configurations are not affected. Version 2026.2.14 enforces `rawCommand`/`command[]` consistency (gateway fail-fast + node host validation)."},{"lang":"es","value":"OpenClaw es un asistente personal de IA. Antes de la versión 2026.2.14, una inconsistencia entre `rawCommand` y `command[]` en el gestor `system.run` del host del nodo podría causar que la evaluación de la lista de permitidos/aprobación se realizara sobre un comando mientras se ejecutaba un argv diferente. Esto solo afecta a las implementaciones que utilizan la ruta de ejecución del host del nodo / nodo compañero (`system.run` en un nodo), habilitan la política de ejecución basada en lista de permitidos (`security=allowlist`) con solicitudes de aprobación impulsadas por fallos en la lista de permitidos (por ejemplo, `ask=on-miss`), y permiten a un atacante invocar `system.run`. Las configuraciones predeterminadas/no de nodo no se ven afectadas. La versión 2026.2.14 impone la consistencia de `rawCommand`/`command[]` (validación rápida de fallos en la pasarela + validación del host del nodo)."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","baseScore":7.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.2,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-284"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*","versionEndExcluding":"2026.2.14","matchCriteriaId":"0F3079A3-9FBD-4E87-821D-5CAF0622C555"}]}]}],"references":[{"url":"https://github.com/openclaw/openclaw/commit/cb3290fca32593956638f161d9776266b90ab891","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.2.14","source":"security-advisories@github.com","tags":["Product","Release Notes"]},{"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-h3f9-mjwj-w476","source":"security-advisories@github.com","tags":["Patch","Vendor Advisory"]}]}}]}