Zero Day MonitorZDM

← Back to list

9.8

CVE-2026-32917EXPLOITEDPATCHED

openclaw · openclaw

OpenClaw < 2026.3.13 - Remote Command Injection via Unsanitized iMessage Attachment Paths in SCP

Description

OpenClaw before 2026.3.13 contains a remote command injection vulnerability in the iMessage attachment staging flow that allows attackers to execute arbitrary commands on configured remote hosts. The vulnerability exists because unsanitized remote attachment paths containing shell metacharacters are passed directly to the SCP remote operand without validation, enabling command execution when remote attachment staging is enabled.

Affected Products

Vendor	Product	Versions
openclaw	openclaw	0

References

https://github.com/openclaw/openclaw/security/advisories/GHSA-g2f6-pwvx-r275(third-party-advisory)
https://github.com/openclaw/openclaw/commit/a54bf71b4c0cbe554a84340b773df37ee8e959de(patch)
https://www.vulncheck.com/advisories/openclaw-remote-command-injection-via-unsanitized-imessage-attachment-paths-in-scp(third-party-advisory)

Related News (1 articles)

Tier C

VulDB10h ago

CVE-2026-32917 | OpenClaw up to 2026.3.12 Attachments os command injection (GHSA-g2f6-pwvx-r275)

→ No new info (linked only)

CVSS 3.19.8 NONE

CISA KEV❌ No

Actively exploited✅ Yes

Patch available2026.3.13

CWECWE-78

PublishedMar 31, 2026

Last enriched9h agov2

Trending Score52

Source articles1

Independent1

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

NONECVE-2026-34504EXP

OpenClaw < 2026.3.28 - Server-Side Request Forgery via Unguarded Image Download in fal Provider

NONECVE-2026-33580EXP

OpenClaw < 2026.3.28 - Brute Force Attack via Missing Rate Limiting on Webhook Shared Secret Authentication

NONECVE-2026-33579EXP

OpenClaw < 2026.3.28 - Privilege Escalation via Missing Caller Scope Validation in Device Pair Approval

NONECVE-2026-34509EXP

OpenClaw < 2026.3.8 - Sender Allowlist Bypass in Microsoft Teams Plugin via Route Allowlist Configuration

NONECVE-2026-32916EXP

OpenClaw 2026.3.7 < 2026.3.11 - Authorization Bypass in Plugin Subagent Routes via Synthetic Admin Scopes

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Mar 31, 2026

Discovered by ZDM

Mar 31, 2026

Updated: affectedVersions, severity, activelyExploited

Mar 31, 2026

Actively Exploited

Mar 31, 2026

Patch Available

Mar 31, 2026

Version History

v2

Last enriched 9h ago

v2Tier C10h ago

Updated affected versions to include 2026.3.12, changed severity to CRITICAL, and noted that there is no exploit available.

affectedVersionsseverityactivelyExploited

via VulDB

v110h ago

Initial creation