Main Vulnerability Database Vulnerabilities #VU132697

OS Command Injection in OpenClaw - #VU132697

Published: May 29, 2026

Vulnerability identifier: #VU132697

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-78

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenClaw

Affected software:
OpenClaw

Detailed vulnerability description

The vulnerability allows a remote user to execute unauthorized commands.

The vulnerability exists due to improper neutralization of special elements used in an os command in the bundled MCP session-spawn path when handling reachable loopback session-spawn requests. A remote user can bypass the exec denylist to execute unauthorized commands.

Only configurations with the affected bundled MCP loopback feature enabled and reachable are vulnerable.

Remediation

Install security update from vendor's website.

Sources

https://github.com/openclaw/openclaw/security/advisories/GHSA-qh2f-99mv-mrcf

OS Command Injection in OpenClaw - #VU132697

Detailed vulnerability description

Remediation

Sources

Please verify you're human