216.73.217.98

CVE-2026-32917

· Published 31/03/2026 12:16 · Modified 01/04/2026 14:24

Labels: CVE-2026-32917 2026-03-31CVE-2026-32917CWE-78[email protected]

Essential information

Published
31/03/2026 12:16
Modified
01/04/2026 14:24
Author
Creator
CVSS
9.2 CRITICAL (v3) 9.2 CRITICAL (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

OpenClaw before 2026.3.13 contains a remote command injection vulnerability in the iMessage attachment staging flow that allows attackers to execute arbitrary commands on configured remote hosts. The vulnerability exists because unsanitized remote attachment paths containing shell metacharacters are passed directly to the SCP remote operand without validation, enabling command execution when remote attachment staging is enabled.

NVD status

Status
Undergoing Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
openclaw / openclaw cpe:2.3:a:openclaw:openclaw:<2026.3.13:*:*:*:*:*:*:*

References