What is the CVSS score of CVE-2026-26323?

CVE-2026-26323 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.2%.

Which versions of Node.js are affected by CVE-2026-26323?

OpenClaw versions 2026.1.8 through 2026.2.13 contain a command injection vulnerability in a developer maintenance script that could allow unauthorized code execution.. A patch is available.

Node.js CVE-2026-26323

HIGH

OS Command Injection (CWE-78)

2026-02-19 security-advisories@github.com

GHSA-m7x8-2w3w-pr42

Command Injection Node.js Github AI / ML Openclaw

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:03 vuln.today

Patch released

Feb 20, 2026 - 19:06 nvd

Patch available

CVE Published

Feb 19, 2026 - 23:16 nvd

HIGH 8.8

DescriptionNVD

OpenClaw is a personal AI assistant. Versions 2026.1.8 through 2026.2.13 have a command injection in the maintainer/dev script scripts/update-clawtributors.ts. The issue affects contributors/maintainers (or CI) who run bun scripts/update-clawtributors.ts in a source checkout that contains a malicious commit author email (e.g. crafted @users[.]noreply[.]github[.]com values). Normal CLI usage is not affected (npm i -g openclaw): this script is not part of the shipped CLI and is not executed during routine operation. The script derived a GitHub login from git log author metadata and interpolated it into a shell command (via execSync). A malicious commit record could inject shell metacharacters and execute arbitrary commands when the script is run. Version 2026.2.14 contains a patch.

AnalysisAI

Arbitrary command execution in OpenClaw versions 2026.1.8 through 2026.2.13 allows attackers to execute shell commands when developers or CI systems run the update-clawtributors.ts maintenance script on repositories containing malicious commit metadata. The vulnerability stems from unsanitized interpolation of git author emails into shell commands via execSync, exploitable only by those with access to the development environment or source repository. …

RemediationAI

Within 24 hours: Identify all systems running OpenClaw versions 2026.1.8-2026.2.13 and restrict access to the scripts/update-clawtributors.ts script. Within 7 days: Apply the available patch to all affected instances and validate successful deployment. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-26323 vulnerability details – vuln.today

Back

Node.js CVE-2026-26323

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code