HIGHCVE-2026-32032Published 2026-03-19Modified 2026-03-25CNA VulnCheck

CVE-2026-32032: OpenClaw < 2026.2.22 - Arbitrary Shell Execution via Unvalidated SHELL Environment Variable

OpenClaw versions prior to 2026.2.22 contain an arbitrary shell execution vulnerability in shell environment fallback that trusts the unvalidated SHELL path from the host environment. An attacker with local environment access can inject a malicious SHELL variable to execute arbitrary commands with the privileges of the OpenClaw process.

CVSS v4.0: 7.3
Severity: HIGH
Fixed in: 2026.2.22
Affected Products: 1

Fix available

2026.2.22

Patch commits

Patch Commit

Affected packages

OpenClaw / OpenClaw
< 2026.2.22 (from 0)
Fixed in 2026.2.22

CVSS Vector

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

GitHub Security Advisory (GHSA-f8mp-vj46-cq8v)
Patch Commit
VulnCheck Advisory: OpenClaw < 2026.2.22 - Arbitrary Shell Execution via Unvalidated SHELL Environment Variable

Metrics

Fix available