Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.8
OpenClaw versions prior to 2026.2.24 allow hackers to run secret commands
CVE-2026-32052
Summary
Some versions of OpenClaw are vulnerable to a security risk that lets hackers trick the system into running hidden commands. This can happen when the system is told to run a command from a misleading message. To stay safe, update to version 2026.2.24 or later.
Original title
OpenClaw versions prior to 2026.2.24 contain a command injection vulnerability in the system.run shell-wrapper that allows attackers to execute hidden commands by injecting positional argv carriers...
Original description
OpenClaw versions prior to 2026.2.24 contain a command injection vulnerability in the system.run shell-wrapper that allows attackers to execute hidden commands by injecting positional argv carriers after inline shell payloads. Attackers can craft misleading approval text while executing arbitrary commands through trailing positional arguments that bypass display context validation.
nvd CVSS3.1
6.4
nvd CVSS4.0
5.8
Vulnerability type
CWE-436
- https://github.com/openclaw/openclaw/commit/0f0a680d3df81739ea5088a2f88e65f938b7...
- https://github.com/openclaw/openclaw/commit/55cf92578d266987e390c4bf688196af98ea...
- https://github.com/openclaw/openclaw/security/advisories/GHSA-6rcp-vxwf-3mfp
- https://www.vulncheck.com/advisories/openclaw-hidden-command-execution-via-shell...
Published: 21 Mar 2026 · Updated: 21 Mar 2026 · First seen: 21 Mar 2026