OS Command Injection in OpenClaw - CVE-2026-32000
Published: May 4, 2026
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary commands.
The vulnerability exists due to command injection in extensions/lobster/src/lobster-tool.ts when retrying tool execution with Windows shell fallback after spawn failures. A remote attacker can supply command arguments containing shell metacharacters to execute arbitrary commands.
The issue is exposed on Windows in the fallback path triggered by EINVAL or ENOENT spawn errors.