CVE-2026-31999

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-31999

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31999.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-31999

Aliases

GHSA-6f6j-wx9w-ff4j

Downstream

MINI-vvrj-28pf-4pxx

Published

2026-03-19T02:16:05.580Z

Modified

2026-04-02T13:24:13.995785Z

Severity

7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

OpenClaw versions 2026.2.26 prior to 2026.3.1 on Windows contain a current working directory injection vulnerability in wrapper resolution for .cmd/.bat files that allows attackers to influence execution behavior through cwd manipulation. Remote attackers can exploit improper shell execution fallback mechanisms to achieve command execution integrity loss by controlling the current working directory during wrapper resolution.

References

Affected packages

Git / github.com/openclaw/openclaw

Affected ranges

Type

GIT

Repo

https://github.com/openclaw/openclaw

Events

Introduced

bc507080577c620243617e8fadd294bec3efa252

Fixed

d76b224e20c790b7223d4075abd087c9576a4661

Database specific

{
    "versions": [
        {
            "introduced": "2026.2.26"
        },
        {
            "fixed": "2026.3.1"
        }
    ]
}

Affected versions

v2026.*

v2026.2.26

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31999.json"