PT-2026-26738 · Openclaw · Openclaw

Tdjackey

Publicado

2026-03-03

Atualizado

2026-03-21

CVE-2026-32056

CVSS v3.1

9.8

Crítica

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.22

Description OpenClaw does not properly sanitize shell startup environment variables HOME and ZDOTDIR within the system.run function. This allows attackers to bypass command allowlist protections. By injecting malicious startup files, such as .bash profile or .zshenv, attackers can achieve arbitrary code execution before allowlist-evaluated commands are executed.

Recommendations Update OpenClaw to version 2026.2.22 or later.

Correção

OS Command Injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-15CWE-78

Identificadores relacionados

CVE-2026-32056

GHSA-RJ39-33V7-9XRQ

GHSA-XGF2-VXV2-RRMG

Produtos afetados

Openclaw

PT-2026-26738 · Openclaw · Openclaw

CVE-2026-32056

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 11