Description
OpenClaw versions prior to 2026.2.2 fail to properly validate Windows cmd.exe metacharacters in allowlist-gated exec requests (non-default configuration), allowing attackers to bypass command approval restrictions. Remote attackers can craft command strings with shell metacharacters like & or %...% to execute unapproved commands beyond the allowlisted operations.
Published: 2026-03-05
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Command Execution
Action: Immediate Patch
AI Analysis

Impact

OpenClaw versions prior to 2026.2.2 fail to validate Windows cmd.exe metacharacters in allowlist‑controlled execution requests. Attackers can embed shell metacharacters such as & or %…% into the command string, bypassing the allowlist check and executing arbitrary commands. This is a command injection flaw (CWE-78) that enables remote code execution with the privileges of the OpenClaw service, potentially leading to full compromise of the host system.

Affected Systems

The vulnerability affects the OpenClaw product from vendor OpenClaw. All releases older than version 2026.2.2 are impacted, including those distributed as Node.js applications identified by the CPE cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*.

Risk and Exploitability

The flaw scores 9.2 on the CVSS scale, indicating a critical threat. The EPSS score is below 1%, suggesting a low current probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Attackers can target the service remotely, especially when the allowlist gating is enabled and command execution is permitted. Successful exploitation grants arbitrary code execution on the host machine.

Generated by OpenCVE AI on April 18, 2026 at 09:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OpenClaw 2026.2.2 or later, which replaces the flawed parsing logic and validates all cmd.exe metacharacters, thereby fixing the command injection (CWE‑78) flaw.
  • If an immediate upgrade is not possible, restrict or disable the exec or run commands feature that relies on allowlist‑controlled execution, preventing arbitrary command injection (CWE‑78).
  • Enable logging and audit of exec requests, and monitor for unusual patterns such as shell metacharacters or repeated attempts to invoke disallowed commands, which may indicate exploitation of the command injection weakness (CWE‑78).

Generated by OpenCVE AI on April 18, 2026 at 09:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qj77-c3c8-9c3q OpenClaw's Windows cmd.exe parsing may bypass exec allowlist/approval gating
History

Tue, 10 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-78

Fri, 06 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-184

Fri, 06 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description OpenClaw versions prior to 2026.2.2 fail to properly validate Windows cmd.exe metacharacters in allowlist-gated exec requests, allowing attackers to bypass command approval restrictions. Remote attackers can craft command strings with shell metacharacters like & or %...% to execute unapproved commands beyond the allowlisted operations. OpenClaw versions prior to 2026.2.2 fail to properly validate Windows cmd.exe metacharacters in allowlist-gated exec requests (non-default configuration), allowing attackers to bypass command approval restrictions. Remote attackers can craft command strings with shell metacharacters like & or %...% to execute unapproved commands beyond the allowlisted operations.

Thu, 05 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenClaw versions prior to 2026.2.2 fail to properly validate Windows cmd.exe metacharacters in allowlist-gated exec requests, allowing attackers to bypass command approval restrictions. Remote attackers can craft command strings with shell metacharacters like & or %...% to execute unapproved commands beyond the allowlisted operations.
Title OpenClaw < 2026.2.2 - Command Injection via cmd.exe Parsing Bypass in Allowlist Enforcement
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-184
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-10T14:40:44.680Z

Reserved: 2026-02-27T14:54:35.709Z

Link: CVE-2026-28391

cve-icon Vulnrichment

Updated: 2026-03-10T14:40:39.000Z

cve-icon NVD

Status : Modified

Published: 2026-03-05T22:16:15.360

Modified: 2026-03-10T18:18:45.970

Link: CVE-2026-28391

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:00:10Z

Weaknesses