{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50478?format=json","vulnerability_id":"VCID-pcea-jxne-vygc","summary":"OpenClaw: system.run approvals did not bind PATH-token executable identity, enabling post-approval executable rebind\nFor `host=node` runs, approvals validated command context but did not pin executable identity for non-path-like `argv[0]` tokens (for example `tr`). If PATH resolution changed after approval, execution could run a different binary.","aliases":[{"alias":"CVE-2026-31997"},{"alias":"GHSA-q399-23r3-hfx4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74372?format=json","purl":"pkg:npm/openclaw@2026.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-qahm-7zt5-fqcg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.1"}],"affected_packages":[],"references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-executable-rebind-via-unbound-path-token-in-system-run-approvals","reference_id":"","reference_type":"","scores":[],"url":"https://www.vulncheck.com/advisories/openclaw-executable-rebind-via-unbound-path-token-in-system-run-approvals"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31997","reference_id":"CVE-2026-31997","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31997"},{"reference_url":"https://github.com/advisories/GHSA-q399-23r3-hfx4","reference_id":"GHSA-q399-23r3-hfx4","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-q399-23r3-hfx4"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-q399-23r3-hfx4","reference_id":"GHSA-q399-23r3-hfx4","reference_type":"","scores":[],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-q399-23r3-hfx4"}],"weaknesses":[{"cwe_id":367,"name":"Time-of-check Time-of-use (TOCTOU) Race Condition","description":"The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state."},{"cwe_id":426,"name":"Untrusted Search Path","description":"The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."},{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."}],"exploits":[],"severity_range_score":null,"exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pcea-jxne-vygc"}