Command injection in OpenClaw - CVE-2026-25157
Published: May 4, 2026
Vulnerability identifier: #VU129501
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-25157
CWE-ID: CWE-77
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary code on the remote SSH host.
The vulnerability exists due to command injection in the sshNodeCommand function in CommandResolver.swift when constructing a shell script with a user-supplied project root path. A remote attacker can influence remote connection settings so that a crafted project path is interpolated into an echo statement to execute arbitrary code on the remote SSH host.
User interaction is required, and the issue affects the macOS menubar application in Remote/SSH mode only.
How to mitigate CVE-2026-25157
Install security update from vendor's website.