CVE-2026-32000

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.19 OpenClaw versions 2026.2.17 and earlier

Description OpenClaw versions prior to 2026.2.19 contain a command injection issue in the Lobster extension tool execution. This occurs due to the use of a Windows shell fallback mechanism with shell: true after process creation failures. Attackers can inject shell metacharacters into command arguments, potentially executing arbitrary commands when the subprocess launch fails with EINVAL or ENOENT errors. The issue resides in the extensions/lobster/src/lobster-tool.ts file, where the tool retries subprocess launch with shell: true on Windows for specific errors. The fix removes the shell fallback and uses explicit executable/script argv execution.

Recommendations OpenClaw versions prior to 2026.2.19 should be updated to version 2026.2.19 or later.