EUVD-2026-14590
GHSA-q528-m8hg-cjmr
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Description
OpenClaw 2026.1.21 before 2026.2.19 contains a command injection vulnerability in the Lobster extension's Windows shell fallback mechanism that allows local operators to execute arbitrary commands. When spawn failures trigger shell fallback with shell: true, tool-provided arguments are interpreted by cmd.exe, enabling command injection through workflow-controlled parameters.
Analysis
OpenClaw 2026.1.21 through 2026.2.18 contains a command injection vulnerability in the Lobster extension's Windows shell fallback mechanism. Local authenticated users with low privileges can execute arbitrary commands when spawn failures trigger shell fallback with cmd.exe, exploiting workflow-controlled parameters. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all systems running OpenClaw versions 2026.1.21 through 2026.2.18 and assess their criticality level. Within 7 days: Apply the available vendor patch to all non-production instances and conduct testing in a staging environment. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today