Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Blast Radius
ecosystem impact- 9 npm packages depend on openclaw (5 direct, 4 indirect)
Ecosystem-wide dependent count for version 2026.3.13.
DescriptionCVE.org
OpenClaw before 2026.3.13 contains a remote command injection vulnerability in the iMessage attachment staging flow that allows attackers to execute arbitrary commands on configured remote hosts. The vulnerability exists because unsanitized remote attachment paths containing shell metacharacters are passed directly to the SCP remote operand without validation, enabling command execution when remote attachment staging is enabled.
AnalysisAI
Remote command injection in OpenClaw's iMessage attachment staging mechanism (versions prior to 2026.3.13) allows unauthenticated network attackers to execute arbitrary commands on configured remote hosts via malicious attachment paths. The critical flaw stems from unsanitized shell metacharacters passed directly to SCP operations, achieving full system compromise (CVSS 9.8) when remote attachment staging is enabled. EPSS data and KEV status not provided; publicly available exploit code exists (GitHub commit demonstrates the fix, implying POC-level understanding in security community).
Technical ContextAI
This vulnerability affects OpenClaw (cpe:2.3:a:openclaw:openclaw), manifesting as a CWE-78 OS Command Injection weakness. The flaw resides in the iMessage attachment staging workflow where the application constructs SCP (Secure Copy Protocol) commands to transfer attachments to remote hosts. The vulnerability occurs because user-controlled attachment path data-specifically remote attachment paths embedded in iMessage metadata-are concatenated into shell commands without proper input sanitization or validation. Shell metacharacters (such as semicolons, pipes, backticks, or command substitution syntax) embedded in these paths are interpreted by the underlying shell during SCP execution, breaking out of the intended command context. This is a classic example of improper neutralization of special elements used in OS commands, where the trust boundary between user input and system command execution is not enforced. The vulnerability requires remote attachment staging to be enabled in the OpenClaw configuration, suggesting this is an optional feature for distributed or cloud-based deployment scenarios.
RemediationAI
Vendor-released patch: OpenClaw version 2026.3.13 or later. Organizations running affected versions should immediately upgrade to OpenClaw 2026.3.13, which implements proper input validation and sanitization of remote attachment paths before passing them to SCP operations. The specific remediation commit is available at https://github.com/openclaw/openclaw/commit/a54bf71b4c0cbe554a84340b773df37ee8e959de for technical review and verification. As an interim workaround for environments where immediate patching is not feasible, administrators should disable remote attachment staging functionality in OpenClaw configuration files until the upgrade can be completed. This workaround completely eliminates the attack vector but may impact operational workflows dependent on remote attachment processing. Network-level controls such as restricting access to OpenClaw instances via firewall rules or VPN requirements can reduce exposure but do not eliminate risk from internal threats or lateral movement scenarios. Post-upgrade, administrators should audit logs for suspicious SCP command execution patterns or unexpected remote command activity that may indicate prior exploitation attempts. Refer to the official GitHub security advisory (GHSA-g2f6-pwvx-r275) for additional vendor guidance and detection strategies.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17371