CVE-2026-26323 – OpenClaw has a command injection in maintainer clawtributors updater

CVE ID : CVE-2026-26323

Published : Feb. 19, 2026, 10:47 p.m. | 13 minutes ago

Description : OpenClaw is a personal AI assistant. Versions 2026.1.8 through 2026.2.13 have a command injection in the maintainer/dev script `scripts/update-clawtributors.ts`. The issue affects contributors/maintainers (or CI) who run `bun scripts/update-clawtributors.ts` in a source checkout that contains a malicious commit author email (e.g. crafted `@users[.]noreply[.]github[.]com` values). Normal CLI usage is not affected (`npm i -g openclaw`): this script is not part of the shipped CLI and is not executed during routine operation. The script derived a GitHub login from `git log` author metadata and interpolated it into a shell command (via `execSync`). A malicious commit record could inject shell metacharacters and execute arbitrary commands when the script is run. Version 2026.2.14 contains a patch.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2026-26952 – Pi-hole Web Interface has Stored HTML Injection via Local DNS Records (CNAME/Hosts) in data-tag Attribute

CVE-2026-1658 – Content spoofing vulnerability discovered in OpenText™ Directory Services

CVE-2025-9208 – Stored-XSS vulnerability discovered in OpenText WSM Management Server.

CVE-2025-13671 – Cross Site request forgery vulnerability discovered in OpenText WSM Management Server.