CVE-2026-31995

Name of the Vulnerable Software and Affected Versions OpenClaw versions 2026.1.21 through 2026.2.17

Description The Lobster extension in OpenClaw contains a command injection issue on Windows systems. This occurs due to the fallback mechanism used when spawning processes fails, specifically when shell: true is enabled. Attackers can inject arbitrary commands through arguments provided to the tool, which are then interpreted by cmd.exe. The issue arises when spawn failures trigger shell fallback with shell set to true, allowing attackers to control workflow arguments and execute malicious commands. The Windows shell fallback has been removed in a later version.

Recommendations Update to OpenClaw version 2026.2.19 or later.