Skip to main content

Windows CVE-2026-32912

| EUVDEUVD-2026-14597 MEDIUM
Untrusted Search Path (CWE-426)
2026-03-23 VulnCheck GHSA-7j7f-88p8-wh55
5.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.8 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
Low

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2026.3.1
EUVD ID Assigned
Mar 23, 2026 - 22:00 euvd
EUVD-2026-14597
Analysis Generated
Mar 23, 2026 - 22:00 vuln.today
CVE Published
Mar 23, 2026 - 21:36 nvd
MEDIUM 5.8

DescriptionCVE.org

OpenClaw versions 2026.2.26 before 2026.3.1 contain a current working directory injection vulnerability in Windows wrapper resolution for .cmd/.bat files that allows shell execution fallback. Attackers can manipulate the current working directory to alter wrapper resolution behavior and achieve command execution integrity loss.

AnalysisAI

OpenClaw versions 2026.2.26 through 2026.3.0 contain a current working directory (CWD) injection vulnerability in the Windows wrapper resolution mechanism for .cmd and .bat files, allowing attackers with local access to manipulate CWD and achieve command execution with integrity compromise. An attacker with local privileges can alter the working directory to inject malicious wrapper scripts that execute instead of legitimate ones, bypassing command execution controls. The vulnerability requires local access and moderate complexity but enables high-integrity impact; no active KEV or widespread exploitation has been reported, but proof-of-concept details are documented in vendor security advisories.

Technical ContextAI

The vulnerability exists in OpenClaw's Windows shell wrapper resolution logic for batch and command files (.cmd/.bat). When OpenClaw resolves wrapper scripts on Windows, it searches the current working directory as part of its path resolution mechanism, consistent with CWE-426 (Untrusted Search Path). By manipulating the CWD before invoking OpenClaw operations, an attacker can place a malicious .cmd or .bat file in a predictable location that OpenClaw will execute instead of the legitimate system wrapper. This is a classic DLL/executable search-path hijacking pattern applied to batch script resolution. The affected product range spans OpenClaw versions before 2026.3.1 (cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*), with confirmed vulnerability in 2026.2.26 and later versions up to 2026.3.0.

RemediationAI

Upgrade OpenClaw to version 2026.3.1 or later immediately, as the patch directly addresses CWD injection in wrapper resolution. For environments unable to patch immediately, restrict local user execution contexts and enforce strict working directory controls via Windows Group Policy (e.g., disable execution from user-writable directories, enforce AppLocker policies on .cmd/.bat execution, or run OpenClaw under a dedicated service account with minimal directory write permissions). Additionally, audit systems where untrusted local users can manipulate working directories before invoking OpenClaw operations. See vendor advisories at https://github.com/openclaw/openclaw/security/advisories/GHSA-6f6j-wx9w-ff4j for patch availability and detailed remediation guidance.

CVE-2021-40444 HIGH POC
8.8 Sep 15

Windows MSHTML component contains a remote code execution vulnerability that allows attackers to craft malicious ActiveX

CVE-2021-1732 HIGH POC
7.8 Feb 25

Windows Win32k contains an out-of-bounds write vulnerability enabling local privilege escalation to SYSTEM, exploited by

CVE-2018-8174 HIGH POC
7.5 May 09

The Windows VBScript engine contains a remote code execution vulnerability in object handling that allows full system co

CVE-2019-0803 HIGH POC
7.8 Apr 09

Windows Win32k fails to properly handle objects in memory, allowing local privilege escalation exploited in the wild in

CVE-2020-1472 MEDIUM POC
5.5 Aug 17

A privilege escalation vulnerability (CVSS 5.5). Risk factors: actively exploited (KEV-listed), EPSS 94% exploitation pr

CVE-2024-30088 HIGH POC
7.0 Jun 11

Windows Kernel contains a TOCTOU race condition vulnerability allowing local privilege escalation, exploited by the OilR

CVE-2025-33053 HIGH POC
8.8 Jun 10

Windows Internet Shortcut Files (.url) contain an external control vulnerability (CVE-2025-33053, CVSS 8.8) that enables

CVE-2025-33073 HIGH POC
8.8 Jun 10

Windows SMB contains an improper access control vulnerability (CVE-2025-33073, CVSS 8.8) enabling authenticated attacker

CVE-2025-13315 CRITICAL POC
9.3 Nov 19

Twonky Server 8.5.2 on Linux and Windows allows unauthenticated access to the admin log file through a web service API b

CVE-2013-10047 CRITICAL POC
9.3 Aug 01

An unrestricted file upload vulnerability exists in MiniWeb HTTP Server <= Build 300 that allows unauthenticated remote

CVE-2012-10030 CRITICAL POC
9.3 Aug 05

FreeFloat FTP Server contains multiple critical design flaws that allow unauthenticated remote attackers to upload arbit

CVE-2025-34101 CRITICAL POC
9.3 Jul 10

Serviio Media Server versions 1.4 through 1.8 on Windows contain an unauthenticated command injection in the /rest/actio

Share

CVE-2026-32912 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy