19 matches found
CVE-2026-32000
OpenClaw versions prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension tool execution that uses Windows shell fallback with shell: true after spawn failures. Attackers can inject shell metacharacters in command arguments to execute arbitrary commands when subproce...
CVE-2026-31995
OpenClaw versions 2026.1.21 prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension's Windows shell fallback mechanism that allows attackers to inject arbitrary commands through tool-provided arguments. When spawn failures trigger shell fallback with shell: true,...
EUVD-2026-14590
OpenClaw 2026.1.21 before 2026.2.19 contains a command injection vulnerability in the Lobster extension's Windows shell fallback mechanism that allows local operators to execute arbitrary commands. When spawn failures trigger shell fallback with shell: true, tool-provided arguments are interprete...
CVE-2026-32908
...
CVE-2026-32908
OpenClaw 2026.1.21 before 2026.2.19 contains a local command injection in the Lobster extension’s Windows shell fallback. When spawn failures trigger shell fallback with shell: true, tool-provided arguments are interpreted by cmd.exe, enabling arbitrary commands via workflow-controlled parameters...
PT-2026-27240
OpenClaw 2026.1.21 before 2026.2.19 contains a command injection vulnerability in the Lobster extension's Windows shell fallback mechanism that allows local operators to execute arbitrary commands. When spawn failures trigger shell fallback with shell: true, tool-provided arguments are interprete...
EUVD-2026-13039
OpenClaw versions prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension tool execution that uses Windows shell fallback with shell: true after spawn failures. Attackers can inject shell metacharacters in command arguments to execute arbitrary commands when subproce...
EUVD-2026-13029
OpenClaw versions 2026.1.21 prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension's Windows shell fallback mechanism that allows attackers to inject arbitrary commands through tool-provided arguments. When spawn failures trigger shell fallback with shell: true,...
Duplicate Advisory: OpenClaw: WebSocket shared-auth connections could self-declare elevated scopes
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-7fcc-cw49-xm78. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension tool executio...
Duplicate Advisory: OpenClaw has Windows Lobster shell fallback command injection in constrained fallback path
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-fg3m-vhrr-8gj6. This link is maintained to preserve external references. Original Description OpenClaw versions 2026.1.21 prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension's...
CVE-2026-31995
OpenClaw versions 2026.1.21 prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension's Windows shell fallback mechanism that allows attackers to inject arbitrary commands through tool-provided arguments. When spawn failures trigger shell fallback with shell: true,...
CVE-2026-31995
OpenClaw versions 2026.1.21 prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension's Windows shell fallback mechanism that allows attackers to inject arbitrary commands through tool-provided arguments. When spawn failures trigger shell fallback with shell: true,...
CVE-2026-32000
OpenClaw versions prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension tool execution that uses Windows shell fallback with shell: true after spawn failures. Attackers can inject shell metacharacters in command arguments to execute arbitrary commands when subproce...
CVE-2026-31995
OpenClaw versions 2026.1.21 prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension's Windows shell fallback mechanism that allows attackers to inject arbitrary commands through tool-provided arguments. When spawn failures trigger shell fallback with shell: true,...
GHSA-FG3M-VHRR-8GJ6 OpenClaw has Windows Lobster shell fallback command injection in constrained fallback path
Summary On Windows, the Lobster extension previously retried certain spawn failures ENOENT/EINVAL with shell: true for wrapper compatibility. In that fallback path, tool-provided arguments could be interpreted by cmd.exe if fallback was triggered. Affected Packages / Versions - Package: openclaw...
OpenClaw has Windows Lobster shell fallback command injection in constrained fallback path
Summary On Windows, the Lobster extension previously retried certain spawn failures ENOENT/EINVAL with shell: true for wrapper compatibility. In that fallback path, tool-provided arguments could be interpreted by cmd.exe if fallback was triggered. Affected Packages / Versions - Package: openclaw...
GHSA-7FCC-CW49-XM78 OpenClaw has command injection via Windows shell fallback in Lobster tool execution
Summary The Lobster extension tool execution path used a Windows shell fallback shell: true after spawn failures EINVAL/ENOENT. In that fallback path, shell metacharacters in command arguments can be interpreted by the shell, enabling command injection. Affected Packages / Versions - Package:...
PT-2026-26013
Summary shell-env fallback trusted prefix-based executable paths for $SHELL, allowing execution of attacker-controlled binaries in local/runtime-env influence scenarios. Details In affected versions, shell selection accepted either: 1. a shell listed in /etc/shells, or 2. any executable under...
PT-2026-26240
Summary The Lobster extension tool execution path used a Windows shell fallback shell: true after spawn failures EINVAL/ENOENT. In that fallback path, shell metacharacters in command arguments can be interpreted by the shell, enabling command injection. Affected Packages / Versions - Package:...