CVE-2026-32917
published 2026-03-31CVE-2026-32917: OpenClaw before 2026.3.13 contains a remote command injection vulnerability in the iMessage attachment staging flow that allows attackers to execute arbitrary…
PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.97%
78.0th percentile
OpenClaw before 2026.3.13 contains a remote command injection vulnerability in the iMessage attachment staging flow that allows attackers to execute arbitrary commands on configured remote hosts. The vulnerability exists because unsanitized remote attachment paths containing shell metacharacters are passed directly to the SCP remote operand without validation, enabling command execution when remote attachment staging is enabled.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| openclaw | openclaw | < 2026.3.13 | 2026.3.13 |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for shell metacharacters in remote attachment paths passed to SCP remote operand — indicates exploitation of the iMessage attachment staging flow ↗
- →Flag SCP invocations originating from OpenClaw (formerly Moltbot or Clawdbot) processes where the remote operand contains shell metacharacters (e.g., ;, |, $(), backticks, &&) ↗
- →Detect OpenClaw versions prior to 2026.3.13 in inventory; the vulnerability is present when remote attachment staging is enabled ↗
- ·The vulnerability is only exploitable when remote attachment staging is explicitly enabled in OpenClaw configuration — instances with this feature disabled are not affected ↗
- ·No public exploit is currently available, reducing immediate exploitation risk despite a high EPSS percentile (69.2) ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.2CRITICALCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
2026-03-31
Published