CVE-2026-32917

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.13

Description OpenClaw is affected by a remote command injection issue in the iMessage attachment staging flow. The issue arises because unsanitized remote attachment paths containing shell metacharacters are passed directly to the SCP remote operand without validation. This enables command execution when remote attachment staging is enabled. The vulnerability allows attackers to execute arbitrary commands on configured remote hosts.

Recommendations Update OpenClaw to version 2026.3.13 or later.