Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.1
OpenClaw on Windows can run malicious commands
GHSA-fg3m-vhrr-8gj6
Summary
OpenClaw, a tool for Windows, can run malicious commands if a specific condition is met, potentially allowing an attacker to execute arbitrary code. Affected versions of OpenClaw should be updated to the latest patched version. Users should check the version of OpenClaw they are using and update to the patched version if necessary.
What to do
- Update openclaw to version 2026.2.19.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | > 2026.1.21 , <= 2026.2.17 | 2026.2.19 |
Original title
OpenClaw has Windows Lobster shell fallback command injection in constrained fallback path
Original description
### Summary
On Windows, the Lobster extension previously retried certain spawn failures (`ENOENT`/`EINVAL`) with `shell: true` for wrapper compatibility. In that fallback path, tool-provided arguments could be interpreted by `cmd.exe` if fallback was triggered.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published version at triage: `2026.2.17`
- Affected range: `>= 2026.1.21 <= 2026.2.17`
- Patched version: `2026.2.19` (pre-set for next release)
### Fix
The Windows shell fallback was removed. Wrapper compatibility is preserved by resolving `.cmd`/`.bat` shims to a concrete Node entrypoint (or executable) and executing with explicit argv (no shell). If a safe entrypoint cannot be resolved, execution now fails closed with a guided error.
### Fix Commit(s)
- `ba7be018da354ea9f803ed356d20464df0437916`
### Severity Context
This issue requires Windows plus fallback-triggering conditions, and argument control through a local operator-defined workflow.
OpenClaw thanks @tdjackey for reporting.
On Windows, the Lobster extension previously retried certain spawn failures (`ENOENT`/`EINVAL`) with `shell: true` for wrapper compatibility. In that fallback path, tool-provided arguments could be interpreted by `cmd.exe` if fallback was triggered.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published version at triage: `2026.2.17`
- Affected range: `>= 2026.1.21 <= 2026.2.17`
- Patched version: `2026.2.19` (pre-set for next release)
### Fix
The Windows shell fallback was removed. Wrapper compatibility is preserved by resolving `.cmd`/`.bat` shims to a concrete Node entrypoint (or executable) and executing with explicit argv (no shell). If a safe entrypoint cannot be resolved, execution now fails closed with a guided error.
### Fix Commit(s)
- `ba7be018da354ea9f803ed356d20464df0437916`
### Severity Context
This issue requires Windows plus fallback-triggering conditions, and argument control through a local operator-defined workflow.
OpenClaw thanks @tdjackey for reporting.
ghsa CVSS4.0
5.1
Vulnerability type
CWE-78
OS Command Injection
Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026