CpenClaw Windows ACPX wrapper allows malicious command execution

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

9.3

CpenClaw Windows ACPX wrapper allows malicious command execution

GHSA-6f6j-wx9w-ff4j

Summary

CpenClaw's Windows ACPX feature can be tricked into executing malicious commands if the current working directory is manipulated. This affects Windows users who use CpenClaw version 2026.2.26 or later, but before 2026.3.1. To fix this, update to CpenClaw version 2026.3.1 or later, which includes a fix that makes it more difficult for this to happen.

What to do

Update openclaw to version 2026.3.1.

Affected software

Vendor	Product	Affected versions	Fix available
–	openclaw	> 2026.2.26 , <= 2026.3.1	2026.3.1

Original title

CpenClaw's ACPX Windows wrapper shell fallback allowed cwd injection in specific paths

Original description

### Summary
On Windows ACPX paths, wrapper resolution for `.cmd`/`.bat` could fall back to shell execution in ways that allowed `cwd` influence to alter execution behavior.

### Impact
In affected Windows ACPX configurations, this could enable command execution integrity loss through cwd-influenced wrapper resolution.

### Fix
Wrapper resolution now prefers explicit PATH/PATHEXT entrypoint resolution and unwrapped Node/EXE execution, with strict fail-closed handling enabled by default for unresolvable wrapper cases.

### Affected and Patched Versions
- Affected: `>= 2026.2.26, < 2026.3.1`
- Patched: `2026.3.1`

ghsa CVSS4.0 9.3

Vulnerability type

CWE-78 OS Command Injection

Published: 2 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026