CVE-2026-32000

CVSS v3.1

6.3

Medium

AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H

OpenClaw versions prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension tool execution that uses Windows shell fallback with shell: true after spawn failures. Attackers can inject shell metacharacters in command arguments to execute arbitrary commands when subprocess launch fails with EINVAL or ENOENT errors.

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2026-32000

Affected Products

Openclaw

CVE-2026-32000

Weakness Enumeration

Related Identifiers

Affected Products

References · 6