Vulnerability DatabaseCVE-2026-32032
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-32032
March 19, 2026
OpenClaw versions prior to 2026.2.22 contain an arbitrary shell execution vulnerability in shell environment fallback that trusts the unvalidated SHELL path from the host environment. An attacker with local environment access can inject a malicious SHELL variable to execute arbitrary commands with the privileges of the OpenClaw process.
Affected Packages
openclaw (NPM):
Affected version(s) >=0.0.1 <2026.2.22
Fix Suggestion:
Update to version 2026.2.22
Related ResourcesĀ (5)
https://www.vulncheck.com/advisories/openclaw-arbitrary-shell-execution-via-unvalidated-shell-environment-variable
https://github.com/openclaw/openclaw
https://github.com/openclaw/openclaw/security/advisories/GHSA-f8mp-vj46-cq8v
https://nvd.nist.gov/vuln/detail/CVE-2026-32032
https://github.com/openclaw/openclaw/commit/25e89cc86338ef475d26be043aa541dfdb95e52a
Do you need more information?
Contact Us
CVSS v4
Base Score:
7.3
Attack Vector
LOCAL
Attack Complexity
LOW
Attack Requirements
PRESENT
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
7.8
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Untrusted Search Path
CWE-426
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-78
EPSS
Base Score:
0.02