Impact
OpenClaw versions prior to 2026.5.2 contain a path traversal flaw in the maintenance task execution flow. An attacker can craft a workspace that causes OpenClaw to select a trash command based on a manipulated environment path derived from that workspace. The flaw lets the operator run unintended local executables from paths that should not be executed during maintenance, giving the attacker the ability to launch arbitrary commands with the privileges of the OpenClaw process. The weakness is identified as CWE‑426 and results in full local code execution on the target system.
Affected Systems
All installations of OpenClaw built before version 2026.5.2 are vulnerable. No specific sub‑versions are listed; any system using a pre‑2026.5.2 release must review its current version.
Risk and Exploitability
The CVSS score of 7.2 indicates a high severity, while the EPSS score of less than 1% suggests the overall likelihood of exploitation is low at present. The vulnerability is not observed in the CISA KEV catalog, and the attack path is inferred to require local access to the maintenance environment or malicious workspace manipulation. Successful exploitation would grant the attacker full execution rights on the host, enabling data theft, service disruption, or pivoting to higher privileges. Administrators should treat this as a high‑risk issue that warrants prompt remediation.
OpenCVE Enrichment
Github GHSA