NextGuard
UNKNOWNCVE-2026-32917

OpenClaw < 2026.3.13 - Remote Command Injection via Unsanitized iMessage Attachment Paths in SCP

Platform

other

Component

openclaw

Fixed in

2026.3.13

View on NVD

OpenClaw before 2026.3.13 contains a remote command injection vulnerability in the iMessage attachment staging flow that allows attackers to execute arbitrary commands on configured remote hosts. The vulnerability exists because unsanitized remote attachment paths containing shell metacharacters are passed directly to the SCP remote operand without validation, enabling command execution when remote attachment staging is enabled.

How to fix

Actualice OpenClaw a la versión 2026.3.13 o posterior. Esto corrige la vulnerabilidad de inyección de comandos remotos al validar correctamente las rutas de archivos adjuntos de iMessage antes de pasarlas a SCP.

Monitor your dependencies automatically

Get notified when new vulnerabilities affect your projects. Free forever.

Start free
CVE-2026-32917 — Vulnerability Details | NextGuard | NextGuard