OS Command Injection in OpenClaw - #VU129405
Published: May 4, 2026
OpenClaw
Detailed vulnerability description
The vulnerability allows a local user to execute arbitrary OS commands.
The vulnerability exists due to command injection in runtime.system.runCommandWithTimeout when processing plugin-supplied command input. A local user can supply crafted command arguments to execute arbitrary OS commands.
The issue applies within the trusted plugin boundary because plugins run in-process with the same OS privileges as the OpenClaw process.