OS Command Injection in OpenClaw - CVE-2026-32000

 

OS Command Injection in OpenClaw - CVE-2026-32000

Published: May 4, 2026


Vulnerability identifier: #VU129404
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-32000
CWE-ID: CWE-78
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary commands.

The vulnerability exists due to command injection in extensions/lobster/src/lobster-tool.ts when retrying tool execution with Windows shell fallback after spawn failures. A remote attacker can supply command arguments containing shell metacharacters to execute arbitrary commands.

The issue is exposed on Windows in the fallback path triggered by EINVAL or ENOENT spawn errors.


How to mitigate CVE-2026-32000

Install security update from vendor's website.

Sources