CVE-2026-32052
CRITICAL WAF: High
CVSS 9.8
Published: 2026-03-21
CWE-77
OpenClaw versions prior to 2026.2.24 contain a command injection vulnerability in the system.run shell-wrapper that allows attackers to execute hidden commands by injecting positional argv carriers after inline shell payloads. Attackers can craft misleading approval text while executing arbitrary commands through trailing positional arguments that bypass display context validation.
WAF Coverage Analysis
Command Injection
High WAF Coverage
OWASP: A03:2021 Injection
932xxx - Remote Code Execution
Affected Software
| Vendor | Product | Version |
|---|---|---|
| openclaw | openclaw | up to 2026.2.24 |
References
- github.com (Patch)
- github.com (Patch)
- github.com (Vendor Advisory)
- www.vulncheck.com (Third Party Advisory)