Main Vulnerability Database Vulnerabilities #VU129402

OS Command Injection in OpenClaw - #VU129402

Published: May 4, 2026

Vulnerability identifier: #VU129402

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-78

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenClaw

Affected software:
OpenClaw

Detailed vulnerability description

The vulnerability allows a remote attacker to alter SCP argument semantics.

The vulnerability exists due to command injection in channels.imessage.remoteHost when processing remote host tokens for SCP attachment fetching. A remote attacker can supply an unsafe remote host token value to alter SCP argument semantics.

Only remote iMessage deployments that use SCP attachment fetching are affected.

Remediation

Install security update from vendor's website.

Sources

https://github.com/openclaw/openclaw/security/advisories/GHSA-2mc2-g238-722j
https://github.com/openclaw/openclaw/commit/49d0def6d1e88f002026b1d2a35aa615d48a751a

OS Command Injection in OpenClaw - #VU129402

Detailed vulnerability description

Remediation

Sources

Please verify you're human