CVE-2026-31995

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-31995

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31995.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-31995

Aliases

GHSA-fg3m-vhrr-8gj6

Published

2026-03-19T02:16:04.707Z

Modified

2026-04-02T13:24:10.499704Z

Severity

7.0 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

OpenClaw versions 2026.1.21 prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension's Windows shell fallback mechanism that allows attackers to inject arbitrary commands through tool-provided arguments. When spawn failures trigger shell fallback with shell: true, attackers can exploit cmd.exe command interpretation to execute malicious commands by controlling workflow arguments.

References

Affected packages

Git / github.com/openclaw/openclaw

Affected ranges

Type

GIT

Repo

https://github.com/openclaw/openclaw

Events

Introduced

80c1edc3ff43b3bd3b7b545eed79f303d992f7dc

Fixed

2c05cbb43e48ebad03626d3125746fb1b9a8520f

Fixed

ba7be018da354ea9f803ed356d20464df0437916

Database specific

{
    "versions": [
        {
            "introduced": "2026.1.21"
        },
        {
            "fixed": "2026.2.19"
        }
    ]
}

Affected versions

v2026.*

v2026.1.21

v2026.1.22

v2026.1.23

v2026.1.24

v2026.1.24-1

v2026.1.29

v2026.1.30

v2026.2.1

v2026.2.12

v2026.2.13

v2026.2.14

v2026.2.15-beta.1

v2026.2.17

v2026.2.2

v2026.2.3

v2026.2.6

v2026.2.6-1

v2026.2.6-2

v2026.2.6-3

v2026.2.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31995.json"