Summary
For host=node executions, approval context could be bypassed after approval-time by rebinding a writable parent symlink in cwd while preserving the visible cwd string.
Affected Packages / Versions
- Package:
openclaw (npm)
- Affected:
<= 2026.2.25
- Fixed:
>= 2026.2.26 (planned next npm release)
Impact
A command approved for one filesystem location could execute from a different location if a mutable parent symlink changed between approval and execution.
Fix
- Added immutable approval-time plan preparation (
system.run.prepare) and systemRunPlanV2 canonical fields (argv, cwd, agentId, sessionKey).
- Enforced canonical plan values through approval request storage and forwarding-time sanitization.
- Rejected mutable parent-symlink path components during approval-plan building to block symlink rebind bypass.
- Follow-up refactors centralized command catalogs and approval context/error handling to reduce future drift.
Fix Commit(s)
78a7ff2d50fb3bcef351571cb5a0f21430a340c1
d82c042b09727a6148f3ca651b254c4a677aff26
d06632ba45a8482192792c55d5ff0b2e21abb0a7
4e690e09c746408b5e27617a20cb3fdc5190dbda
4b4718c8dfce2e2c48404aa5088af7c013bed60b
Release Process Note
patched_versions is pre-set to the planned next release (2026.2.26). Once npm openclaw@2026.2.26 is published, publish this advisory directly without further version-field edits.
OpenClaw thanks @tdjackey for reporting.
References
Summary
For
host=nodeexecutions, approval context could be bypassed after approval-time by rebinding a writable parent symlink incwdwhile preserving the visiblecwdstring.Affected Packages / Versions
openclaw(npm)<= 2026.2.25>= 2026.2.26(planned next npm release)Impact
A command approved for one filesystem location could execute from a different location if a mutable parent symlink changed between approval and execution.
Fix
system.run.prepare) andsystemRunPlanV2canonical fields (argv,cwd,agentId,sessionKey).Fix Commit(s)
78a7ff2d50fb3bcef351571cb5a0f21430a340c1d82c042b09727a6148f3ca651b254c4a677aff26d06632ba45a8482192792c55d5ff0b2e21abb0a74e690e09c746408b5e27617a20cb3fdc5190dbda4b4718c8dfce2e2c48404aa5088af7c013bed60bRelease Process Note
patched_versionsis pre-set to the planned next release (2026.2.26). Once npmopenclaw@2026.2.26is published, publish this advisory directly without further version-field edits.OpenClaw thanks @tdjackey for reporting.
References