Main Vulnerability Database Vulnerabilities #VU125121

#VU125121 Improper Neutralization of Argument Delimiters in a Command in OpenClaw - CVE-2026-29608

Published: April 8, 2026

Vulnerability identifier: #VU125121

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-29608

CWE-ID: CWE-88

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
OpenClaw

Software vendor:
OpenClaw

Description

The vulnerability allows a local user to execute unintended local scripts.

The vulnerability exists due to improper neutralization of argument delimiters in system.run approval hardening in the node host when rewriting wrapper command argv. A local user can influence wrapper argv and place a local file in the approved working directory to execute unintended local scripts.

User interaction is required because the operator must approve the displayed command.

Remediation

Install security update from vendor's website.

External links

https://github.com/openclaw/openclaw/security/advisories/GHSA-h3rm-6x7g-882f

#VU125121 Improper Neutralization of Argument Delimiters in a Command in OpenClaw - CVE-2026-29608

Description

Remediation

External links

Please verify you're human