system.run approvals in OpenClaw used rendered command text as the approval identity while trimming argv token whitespace. Runtime execution still used raw argv. A crafted trailing-space executable token could therefore execute a different binary than what the approver saw.

This is an approval-integrity bypass that can lead to unexpected command execution under the OpenClaw runtime user when an attacker can influence command argv and reuse/obtain a matching approval context.

OpenClaw does not treat adversarial multi-user sharing of one gateway host/config as a supported security boundary. This finding is still valid in supported deployments because it breaks the operator approval boundary itself (approved display command vs executed argv).

patched versions is pre-set to the release (2026.2.25). Advisory published with npm release 2026.2.25.

OpenClaw thanks @tdjackey for reporting.