CVE-2026-32908

Name of the Vulnerable Software and Affected Versions OpenClaw versions 2026.1.21 through 2026.2.18

Description The software contains a command injection issue within the Lobster extension’s Windows shell fallback mechanism. This allows local operators to execute arbitrary commands. The issue occurs when spawn failures trigger shell fallback with shell set to true, causing arguments provided by the tool to be interpreted by cmd.exe, which enables command injection through parameters controlled by the workflow.

Recommendations Update to version 2026.2.19 or later.