Main Vulnerability Database Vulnerabilities #VU132710

Incomplete List of Disallowed Inputs in OpenClaw - #VU132710

Published: May 29, 2026

Vulnerability identifier: #VU132710

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-184

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenClaw

Affected software:
OpenClaw

Detailed vulnerability description

The vulnerability allows a remote user to execute shell content without the intended approval or allowlist prompt.

The vulnerability exists due to incomplete list of disallowed inputs in the shell inline-command parser when processing shell inline-command forms. A remote user can send a crafted command request to execute shell content without the intended approval or allowlist prompt.

Only instances with the affected feature enabled and reachable are vulnerable, and practical impact depends on whether lower-trust input can reach that path.

Remediation

Install security update from vendor's website.

Sources

https://github.com/openclaw/openclaw/security/advisories/GHSA-f397-5vjw-v2c2

Incomplete List of Disallowed Inputs in OpenClaw - #VU132710

Detailed vulnerability description

Remediation

Sources

Please verify you're human