OS Command Injection in OpenClaw - #VU135882
Published: June 30, 2026
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote user to execute or persist unauthorized actions.
The vulnerability exists due to command injection in host exec environment filtering for Git ext transport when processing lower-trust caller or configured input paths. A remote user can provide crafted input to execute or persist unauthorized actions.
Only instances where the affected feature is enabled and reachable are vulnerable.