CVE-2026-26323

Name of the Vulnerable Software and Affected Versions OpenClaw versions 2026.1.8 through 2026.2.13

Description The software contains a command injection issue in the scripts/update-clawtributors.ts script. This affects contributors or maintainers, and CI systems, who execute bun scripts/update-clawtributors.ts on a source checkout containing a malicious commit author email. The script extracts a GitHub login from git log author metadata and uses it in a shell command via execSync. A crafted commit record can inject shell metacharacters, leading to arbitrary command execution. Normal CLI usage, such as npm i -g openclaw, is not affected as the script is not part of the shipped CLI and is not executed during routine operation.

Recommendations Versions 2026.1.8 through 2026.2.13 should be updated to version 2026.2.14 or later. As a temporary workaround, avoid running the bun scripts/update-clawtributors.ts script on source checkouts with untrusted commit history.