CVE-2026-32052

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-32052

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32052.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-32052

Aliases

GHSA-6rcp-vxwf-3mfp

Downstream

MINI-9wrh-hc28-4ghq

Published

2026-03-21T01:17:08.287Z

Modified

2026-04-02T13:24:16.005049Z

Severity

6.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:H CVSS Calculator

Summary

[none]

Details

OpenClaw versions prior to 2026.2.24 contain a command injection vulnerability in the system.run shell-wrapper that allows attackers to execute hidden commands by injecting positional argv carriers after inline shell payloads. Attackers can craft misleading approval text while executing arbitrary commands through trailing positional arguments that bypass display context validation.

References

Affected packages

Git / github.com/openclaw/openclaw

Affected ranges

Type: GIT
Repo: https://github.com/openclaw/openclaw
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

0f0a680d3df81739ea5088a2f88e65f938b7936b

Type: GIT
Repo: https://github.com/openclaw/openclaw
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

55cf92578d266987e390c4bf688196af98eac748

Affected versions

v0.*

v0.1.0

v0.1.1

v0.1.2

v0.1.3

v1.*

v1.0.4

v1.1.0

v1.2.0

v1.2.1

v1.2.2

v1.3.0

v2.*

v2.0.0-beta1

v2.0.0-beta2

v2.0.0-beta3

v2.0.0-beta4

v2.0.0-beta5

v2026.*

v2026.1.10

v2026.1.11

v2026.1.11-1

v2026.1.11-2

v2026.1.11-3

v2026.1.12

v2026.1.12-2

v2026.1.13

v2026.1.14-1

v2026.1.15

v2026.1.16-2

v2026.1.20

v2026.1.21

v2026.1.22

v2026.1.23

v2026.1.24

v2026.1.24-1

v2026.1.29

v2026.1.30

v2026.1.5

v2026.1.5-1

v2026.1.5-2

v2026.1.5-3

v2026.1.8

v2026.1.9

v2026.2.1

v2026.2.12

v2026.2.13

v2026.2.14

v2026.2.15-beta.1

v2026.2.17

v2026.2.19

v2026.2.19-beta.1

v2026.2.2

v2026.2.21

v2026.2.21-beta.1

v2026.2.22

v2026.2.22-beta.1

v2026.2.23

v2026.2.23-beta.1

v2026.2.3

v2026.2.6

v2026.2.6-1

v2026.2.6-2

v2026.2.6-3

v2026.2.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32052.json"

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "trailing"
            }
        ]
    }
]