CVE-2026-31997

Description

OpenClaw: system.run approvals did not bind PATH-token executable identity, enabling post-approval executable rebind

Predictions

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No vendor mitigations ingested yet for this CVE. The mitigation-content worker queues fetches as references arrive — check back in a few minutes, or see the references list below.

References

• https://github.com/openclaw/openclaw/security/advisories/GHSA-q399-23r3-hfx4
• https://nvd.nist.gov/vuln/detail/CVE-2026-31997
• https://github.com/openclaw/openclaw
• https://www.vulncheck.com/advisories/openclaw-executable-rebind-via-unbound-path-token-in-system-run-approvals