CVE-2026-31999

MEDIUM

OpenClaw 2026.2.26 < 2026.3.1 - Current Working Directory Injection via Windows Wrapper Resolution Fallback

Title source: cna

Description

OpenClaw versions 2026.2.26 prior to 2026.3.1 on Windows contain a current working directory injection vulnerability in wrapper resolution for .cmd/.bat files that allows attackers to influence execution behavior through cwd manipulation. Remote attackers can exploit improper shell execution fallback mechanisms to achieve command execution integrity loss by controlling the current working directory during wrapper resolution.

References (2)

[Third Party Advisory] https://github.com/openclaw/openclaw/security/advisories/GHSA-6f6j-wx9w-ff4j

[Third Party Advisory] https://www.vulncheck.com/advisories/openclaw-current-working-directory-injection-via-windows-wrapper-resolution-fallback

Scores

CVSS v3 6.3

EPSS 0.0008

EPSS Percentile 23.3%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H

Details

CWE

CWE-78

Status published

Products (4)

npm/openclaw 2026.2.26 - 2026.3.1npm

OpenClaw/OpenClaw 2026.2.26 - 2026.3.1

openclaw/openclaw 2026.2.26 - 2026.3.1

OpenClaw/OpenClaw 2026.3.1

Published Mar 19, 2026

Tracked Since Mar 19, 2026