CVE-2026-32032

Published: Mar 19, 2026 Last Modified: Mar 19, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 7,3

Source: [email protected]

Attack Vector: local

Attack Complexity: low

Privileges Required: low

User Interaction: none

Confidentiality: N/A

Integrity: N/A

Availability: N/A

HIGH 7,0

Source: [email protected]

Attack Vector: local

Attack Complexity: high

Privileges Required: low

User Interaction: none

Scope: unchanged

Confidentiality: high

Integrity: high

Availability: high

Description

AI Translation Available

OpenClaw versions prior to 2026.2.22 contain an arbitrary shell execution vulnerability in shell environment fallback that trusts the unvalidated SHELL path from the host environment. An attacker with local environment access can inject a malicious SHELL variable to execute arbitrary commands with the privileges of the OpenClaw process.

426

Untrusted Search Path

Stable

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Integrity Confidentiality Availability Access Control

Potential Impacts:

Gain Privileges Or Assume Identity Execute Unauthorized Code Or Commands Dos: Crash, Exit, Or Restart Read Files Or Directories

Applicable Platforms

All platforms may be affected

Likelihood of Exploit: High

View CWE Details

https://github.com/openclaw/openclaw/commit/25e89cc86338ef4…

https://github.com/openclaw/openclaw/commit/25e89cc86338ef475d26be043aa541dfdb9…

https://github.com/openclaw/openclaw/security/advisories/GH…

https://github.com/openclaw/openclaw/security/advisories/GHSA-f8mp-vj46-cq8v

https://www.vulncheck.com/advisories/openclaw-arbitrary-she…

https://www.vulncheck.com/advisories/openclaw-arbitrary-shell-execution-via-unv…

CVE-2026-32032

Description

Untrusted Search Path

Common Consequences

Applicable Platforms

Iscriviti alla newsletter