22 matches found
CVE-2026-31995
OpenClaw versions 2026.1.21 prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension's Windows shell fallback mechanism that allows attackers to inject arbitrary commands through tool-provided arguments. When spawn failures trigger shell fallback with shell: true,...
EUVD-2026-14590
OpenClaw 2026.1.21 before 2026.2.19 contains a command injection vulnerability in the Lobster extension's Windows shell fallback mechanism that allows local operators to execute arbitrary commands. When spawn failures trigger shell fallback with shell: true, tool-provided arguments are interprete...
CVE-2026-32908
...
CVE-2026-32908
OpenClaw 2026.1.21 before 2026.2.19 contains a local command injection in the Lobster extension’s Windows shell fallback. When spawn failures trigger shell fallback with shell: true, tool-provided arguments are interpreted by cmd.exe, enabling arbitrary commands via workflow-controlled parameters...
PT-2026-27240
OpenClaw 2026.1.21 before 2026.2.19 contains a command injection vulnerability in the Lobster extension's Windows shell fallback mechanism that allows local operators to execute arbitrary commands. When spawn failures trigger shell fallback with shell: true, tool-provided arguments are interprete...
EUVD-2026-13029
OpenClaw versions 2026.1.21 prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension's Windows shell fallback mechanism that allows attackers to inject arbitrary commands through tool-provided arguments. When spawn failures trigger shell fallback with shell: true,...
GHSA-5RP4-CWGH-GVWQ Duplicate Advisory: OpenClaw: WebSocket shared-auth connections could self-declare elevated scopes
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-7fcc-cw49-xm78. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension tool executio...
EUVD-2026-13039
OpenClaw versions prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension tool execution that uses Windows shell fallback with shell: true after spawn failures. Attackers can inject shell metacharacters in command arguments to execute arbitrary commands when subproce...
Duplicate Advisory: OpenClaw: WebSocket shared-auth connections could self-declare elevated scopes
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-7fcc-cw49-xm78. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension tool executio...
GHSA-8PX5-2GFR-7PH6 Duplicate Advisory: OpenClaw has Windows Lobster shell fallback command injection in constrained fallback path
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-fg3m-vhrr-8gj6. This link is maintained to preserve external references. Original Description OpenClaw versions 2026.1.21 prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension's...
Duplicate Advisory: OpenClaw has Windows Lobster shell fallback command injection in constrained fallback path
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-fg3m-vhrr-8gj6. This link is maintained to preserve external references. Original Description OpenClaw versions 2026.1.21 prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension's...
CVE-2026-32000
OpenClaw versions prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension tool execution that uses Windows shell fallback with shell: true after spawn failures. Attackers can inject shell metacharacters in command arguments to execute arbitrary commands when subproce...
CVE-2026-32000
OpenClaw versions prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension tool execution that uses Windows shell fallback with shell: true after spawn failures. Attackers can inject shell metacharacters in command arguments to execute arbitrary commands when subproce...
CVE-2026-31995
OpenClaw versions 2026.1.21 prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension's Windows shell fallback mechanism that allows attackers to inject arbitrary commands through tool-provided arguments. When spawn failures trigger shell fallback with shell: true,...
CVE-2026-31995
OpenClaw versions 2026.1.21 prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension's Windows shell fallback mechanism that allows attackers to inject arbitrary commands through tool-provided arguments. When spawn failures trigger shell fallback with shell: true,...
CVE-2026-31995 OpenClaw 2026.1.21 < 2026.2.19 - Command Injection via Windows Shell Fallback in Lobster Extension
OpenClaw versions 2026.1.21 prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension's Windows shell fallback mechanism that allows attackers to inject arbitrary commands through tool-provided arguments. When spawn failures trigger shell fallback with shell: true,...
CVE-2026-31995
OpenClaw versions 2026.1.21 prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension's Windows shell fallback mechanism that allows attackers to inject arbitrary commands through tool-provided arguments. When spawn failures trigger shell fallback with shell: true,...
CVE-2026-31995
CVE-2026-31995 affects OpenClaw 2026.1.21 and earlier, where the Lobster extension’s Windows shell fallback can be tricked into executing arbitrary commands. When a spawn failure triggers shell: true, an attacker can influence workflow arguments to cause cmd.exe command interpretation, enabling l...
CVE-2026-31995 OpenClaw 2026.1.21 < 2026.2.19 - Command Injection via Windows Shell Fallback in Lobster Extension
OpenClaw versions 2026.1.21 prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension's Windows shell fallback mechanism that allows attackers to inject arbitrary commands through tool-provided arguments. When spawn failures trigger shell fallback with shell: true,...
OpenClaw 操作系统命令注入漏洞
OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.1.21 to 2026.2.19 had a vulnerability related to operating system command injection. This vulnerability stemmed from issues with the Windows shell backtracking mechanism implement...