CVE-2026-32052
published 2026-03-21CVE-2026-32052: OpenClaw versions prior to 2026.2.24 contain a command injection vulnerability in the system.run shell-wrapper that allows attackers to execute hidden commands…
PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.91%
55.5th percentile
OpenClaw versions prior to 2026.2.24 contain a command injection vulnerability in the system.run shell-wrapper that allows attackers to execute hidden commands by injecting positional argv carriers after inline shell payloads. Attackers can craft misleading approval text while executing arbitrary commands through trailing positional arguments that bypass display context validation.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| openclaw | openclaw | < 2026.2.24 | 2026.2.24 |
| openclaw | openclaw | >= 0 < 2026.2.24 | 2026.2.24 |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for command injection attempts in the system.run shell-wrapper of OpenClaw, specifically trailing positional arguments appended after inline shell payloads that may hide arbitrary commands from display context validation. ↗
- →Monitor invocations of the OpenClaw (formerly Moltbot or Clawdbot) `system.run` shell-wrapper for unexpected or anomalous positional arguments following the primary command string. ↗
- ·Only OpenClaw versions prior to 2026.2.24 are vulnerable; versions 2026.2.24 and later contain the fix. The package is also known under former names Moltbot and Clawdbot. ↗
- ·Fix availability varies by package manager: npm fix was added 2026-03-31, while Homebrew and MinimOS fixes were added earlier on 2026-03-24. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.05.8MEDIUMCVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
OpenClaw's system.run shell-wrapper positional argv carriers could execute hidden commands under misleading approval text
ghsa·2026-03-03
CVE-2026-32052 [MEDIUM] CWE-436 OpenClaw's system.run shell-wrapper positional argv carriers could execute hidden commands under misleading approval text
OpenClaw's system.run shell-wrapper positional argv carriers could execute hidden commands under misleading approval text
### Summary
In `openclaw` up to and including **2026.2.23** (latest npm release as of **February 25, 2026**), `system.run` shell-wrapper inputs could present misleading approval/display text while still carrying hidden positional argv payloads that execute at runtime.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected: `= 2026.2.24` (planned next release)
### Root Cause
For shell-wrapper forms (for example `/bin/sh -c ...`), command-text binding could focus on inline shell payload text while runtime execution still used the full argv vector. Positional argv carriers after the inline payload could therefore be executed under incomplete display con
OSV
OpenClaw's system.run shell-wrapper positional argv carriers could execute hidden commands under misleading approval text
osv·2026-03-03
CVE-2026-32052 [MEDIUM] OpenClaw's system.run shell-wrapper positional argv carriers could execute hidden commands under misleading approval text
OpenClaw's system.run shell-wrapper positional argv carriers could execute hidden commands under misleading approval text
### Summary
In `openclaw` up to and including **2026.2.23** (latest npm release as of **February 25, 2026**), `system.run` shell-wrapper inputs could present misleading approval/display text while still carrying hidden positional argv payloads that execute at runtime.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected: `= 2026.2.24` (planned next release)
### Root Cause
For shell-wrapper forms (for example `/bin/sh -c ...`), command-text binding could focus on inline shell payload text while runtime execution still used the full argv vector. Positional argv carriers after the inline payload could therefore be executed under incomplete display con
No detection rules found.
No public exploits indexed.
https://github.com/openclaw/openclaw/commit/0f0a680d3df81739ea5088a2f88e65f938b7936bhttps://github.com/openclaw/openclaw/commit/55cf92578d266987e390c4bf688196af98eac748https://github.com/openclaw/openclaw/security/advisories/GHSA-6rcp-vxwf-3mfphttps://www.vulncheck.com/advisories/openclaw-hidden-command-execution-via-shell-wrapper-positional-argv-carriers
2026-03-21
Published