High severityNVD Advisory· Published Mar 19, 2026· Updated Mar 25, 2026
OpenClaw < 2026.2.22 - Arbitrary Shell Execution via Unvalidated SHELL Environment Variable
CVE-2026-32032
Description
OpenClaw versions prior to 2026.2.22 contain an arbitrary shell execution vulnerability in shell environment fallback that trusts the unvalidated SHELL path from the host environment. An attacker with local environment access can inject a malicious SHELL variable to execute arbitrary commands with the privileges of the OpenClaw process.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openclawnpm | < 2026.2.22 | 2026.2.22 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/openclaw/openclaw/commit/25e89cc86338ef475d26be043aa541dfdb95e52aghsapatchWEB
- github.com/advisories/GHSA-f8mp-vj46-cq8vghsaADVISORY
- github.com/openclaw/openclaw/security/advisories/GHSA-f8mp-vj46-cq8vghsathird-party-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-32032ghsaADVISORY
- www.vulncheck.com/advisories/openclaw-arbitrary-shell-execution-via-unvalidated-shell-environment-variableghsathird-party-advisoryWEB
News mentions
0No linked articles in our index yet.