CVE-2026-32052 PUBLISHED

OpenClaw < 2026.2.24 - Hidden Command Execution via Shell-Wrapper Positional argv Carriers

Assigner: VulnCheck
Reserved: 10.03.2026 Published: 21.03.2026 Updated: 21.03.2026

OpenClaw versions prior to 2026.2.24 contain a command injection vulnerability in the system.run shell-wrapper that allows attackers to execute hidden commands by injecting positional argv carriers after inline shell payloads. Attackers can craft misleading approval text while executing arbitrary commands through trailing positional arguments that bypass display context validation.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 5.8

Product Status

Vendor OpenClaw
Product OpenClaw
Versions Default: unaffected
  • affected from 0 to 2026.2.24 (excl.)
  • Version 2026.2.24 is unaffected

Credits

  • tdjackey reporter

References

Problem Types

  • Interpretation Conflict CWE