Main Vulnerability Database Vulnerabilities #VU125168

#VU125168 OS Command Injection in OpenClaw - CVE-2026-32917

Published: April 8, 2026

Vulnerability identifier: #VU125168

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-32917

CWE-ID: CWE-78

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
OpenClaw

Software vendor:
OpenClaw

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the configured remote host.

The vulnerability exists due to command injection in src/auto-reply/reply/stage-sandbox-media.ts when staging iMessage attachments over SCP using a sender-controlled remote attachment path. A remote attacker can send a specially crafted iMessage attachment filename containing shell metacharacters to execute arbitrary commands on the configured remote host.

Exploitation requires remote attachment staging to be enabled and ctx.MediaRemoteHost to be set.

Remediation

Install security update from vendor's website.

External links

https://github.com/openclaw/openclaw/security/advisories/GHSA-g2f6-pwvx-r275

#VU125168 OS Command Injection in OpenClaw - CVE-2026-32917

Description

Remediation

External links

Please verify you're human