Improper Resource Shutdown or Release in OpenClaw - CVE-2026-35667
Published: May 1, 2026
Vulnerability identifier: #VU128735
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-35667
CWE-ID: CWE-404
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw
OpenClaw
Detailed vulnerability description
The vulnerability allows a local user to cause a denial of service and disrupt process cleanup.
The vulnerability exists due to improper resource shutdown or release in the !stop chat command via shell-utils.ts when stopping background bash processes. A local user can invoke the !stop or /bash stop command to cause a denial of service and disrupt process cleanup.
Processes are terminated with SIGKILL immediately, which prevents graceful shutdown handlers from running and can leave files, locks, connections, or audit operations incomplete.
How to mitigate CVE-2026-35667
Install security update from vendor's website.