CVE-2026-32032

7.0 HIGH

Published: March 19, 2026 Modified: March 19, 2026

Description

OpenClaw versions prior to 2026.2.22 contain an arbitrary shell execution vulnerability in shell environment fallback that trusts the unvalidated SHELL path from the host environment. An attacker with local environment access can inject a malicious SHELL variable to execute arbitrary commands with the privileges of the OpenClaw process.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0

Vector String

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

https://github.com/openclaw/openclaw/commit/25e89cc86338ef475d26be043aa541dfdb95e52a

Source: disclosure@vulncheck.com

https://github.com/openclaw/openclaw/security/advisories/GHSA-f8mp-vj46-cq8v

Source: disclosure@vulncheck.com

https://www.vulncheck.com/advisories/openclaw-arbitrary-shell-execution-via-unvalidated-shell-environment-variable

Source: disclosure@vulncheck.com

3 reference(s) from NVD

Quick Stats

CVSS v3 Score

7.0 / 10.0

Exploitation Status

Not in CISA KEV

Weaknesses (CWE)

CWE-426

Related CVEs

CVE-2026-4478 8.1

CVE-2026-4477 3.1

CVE-2026-4476 6.3

CVE-2026-4475 8.8

CVE-2026-4474 2.4