Search for packages
| purl | pkg:npm/openclaw@2026.1.21 |
| Tags | Ghost |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2t1z-v6qm-gkhb
Aliases: GHSA-8px5-2gfr-7ph6 |
Duplicate Advisory: OpenClaw has Windows Lobster shell fallback command injection in constrained fallback path ## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-fg3m-vhrr-8gj6. This link is maintained to preserve external references. ## Original Description OpenClaw versions 2026.1.21 prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension's Windows shell fallback mechanism that allows attackers to inject arbitrary commands through tool-provided arguments. When spawn failures trigger shell fallback with shell: true, attackers can exploit cmd.exe command interpretation to execute malicious commands by controlling workflow arguments. |
Affected by 484 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-ct6t-c3vp-4ydg
Aliases: CVE-2026-32015 GHSA-g75x-8qqm-2vxp |
OpenClaw's `tools.exec.safeBins` PATH-hijack allowed trojan binaries to bypass allowlist checks `tools.exec.safeBins` allowlist checks could be bypassed by PATH-hijacked binaries, allowing execution of attacker-controlled trojan binaries under an allowlisted executable name. |
Affected by 464 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
|
VCID-xrcg-kjac-nyeb
Aliases: CVE-2026-31995 GHSA-fg3m-vhrr-8gj6 |
OpenClaw has Windows Lobster shell fallback command injection in constrained fallback path On Windows, the Lobster extension previously retried certain spawn failures (`ENOENT`/`EINVAL`) with `shell: true` for wrapper compatibility. In that fallback path, tool-provided arguments could be interpreted by `cmd.exe` if fallback was triggered. |
Affected by 464 other vulnerabilities.
This version is affected by these other vulnerabilities:
|
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||