CVE-2026-32000
HIGHOpenClaw < 2026.2.19 - Command Injection via Windows Shell Fallback in Lobster Tool Execution
Title source: cnaDescription
OpenClaw versions prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension tool execution that uses Windows shell fallback with shell: true after spawn failures. Attackers can inject shell metacharacters in command arguments to execute arbitrary commands when subprocess launch fails with EINVAL or ENOENT errors.
References (3)
Core 3
Core References
Third Party Advisory third-party-advisory
GitHub Security Advisory (GHSA-7fcc-cw49-xm78)
https://github.com/openclaw/openclaw/security/advisories/GHSA-7fcc-cw49-xm78
Patch patch
Patch Commit
https://github.com/openclaw/openclaw/commit/ba7be018da354ea9f803ed356d20464df0437916
Third Party Advisory third-party-advisory
VulnCheck Advisory: OpenClaw < 2026.2.19 - Command Injection via Windows Shell Fallback in Lobster Tool Execution
https://www.vulncheck.com/advisories/openclaw-command-injection-via-windows-shell-fallback-in-lobster-tool-execution
Scores
CVSS v3
7.1
EPSS
0.0062
EPSS Percentile
44.8%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-78
Status
published
Products (4)
npm/openclaw
0 - 2026.2.19npm
OpenClaw/OpenClaw
< 2026.2.19
openclaw/openclaw
< 2026.2.19
OpenClaw/OpenClaw
2026.2.19
Published
Mar 19, 2026
Tracked Since
Mar 19, 2026