CVE-2026-32032
HIGHOpenClaw < 2026.2.22 - Arbitrary Shell Execution via Unvalidated SHELL Environment Variable
Title source: cnaDescription
OpenClaw versions prior to 2026.2.22 contain an arbitrary shell execution vulnerability in shell environment fallback that trusts the unvalidated SHELL path from the host environment. An attacker with local environment access can inject a malicious SHELL variable to execute arbitrary commands with the privileges of the OpenClaw process.
References (3)
Core 3
Core References
Third Party Advisory third-party-advisory
GitHub Security Advisory (GHSA-f8mp-vj46-cq8v)
https://github.com/openclaw/openclaw/security/advisories/GHSA-f8mp-vj46-cq8v
Patch patch
Patch Commit
https://github.com/openclaw/openclaw/commit/25e89cc86338ef475d26be043aa541dfdb95e52a
Third Party Advisory third-party-advisory
VulnCheck Advisory: OpenClaw < 2026.2.22 - Arbitrary Shell Execution via Unvalidated SHELL Environment Variable
https://www.vulncheck.com/advisories/openclaw-arbitrary-shell-execution-via-unvalidated-shell-environment-variable
Scores
CVSS v3
7.8
EPSS
0.0013
EPSS Percentile
2.7%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-426
Status
published
Products (4)
npm/openclaw
0 - 2026.2.22npm
OpenClaw/OpenClaw
< 2026.2.22
openclaw/openclaw
< 2026.2.22
OpenClaw/OpenClaw
2026.2.22
Published
Mar 19, 2026
Tracked Since
Mar 20, 2026