CVE-2026-53822
8.8 HIGHOpenClaw before 2026.5.18 contains a command injection vulnerability where shell wrapper argv could change between approval and execution
Published: 2026-06-12 · Last updated: 2026-06-12
Severity and scoring
- CVSS
- 8.8 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-367
Description
OpenClaw before 2026.5.18 contains a command injection vulnerability where shell wrapper argv could change between approval and execution. Attackers can rebuild command arguments after allowlist approval to execute unapproved command shapes, potentially bypassing security controls.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-54228 — A time-of-check time-of-use (TOCTOU) race condition was found in the abrt-dbus D-Bus service's SetElement method (7.8 HIGH)
- CVE-2026-53838 — OpenClaw before 2026.5.27 contains a state mutation vulnerability in node pairing reconnection that allows paired nodes to confuse approv... (9.8 CRITICAL)
- CVE-2026-53831 — OpenClaw before 2026.5.18 contains a policy enforcement vulnerability in system.run safe-bin allowlist validation that allows shell expan... (8.3 HIGH)
- CVE-2026-54055 — Kitty is a cross-platform GPU based terminal (5.0 MEDIUM)
- CVE-2026-42306 — Moby is an open source container framework (7.2 HIGH)