Command injection in OpenClaw - #VU129428
Published: May 4, 2026
OpenClaw
Detailed vulnerability description
The vulnerability allows a local user to stage ignored files.
The vulnerability exists due to command injection in git-hooks/pre-commit when processing maliciously named files during commits. A local user can create a specially named file beginning with a hyphen to stage ignored files.
This issue only affects contributors using the repository's built-in git hook setup from a repository checkout or source release, and only when sensitive ignored files are present in the working directory.