Cyber Resilience

CVE-2026-22168

HighPublic PoC

Published: 18 March 2026

Published
18 March 2026
Modified
19 March 2026
KEV Added
Patch
CVSS Score v4 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0041 32.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-22168 is a high-severity Argument Injection (CWE-88) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Windows Command Shell (T1059.003); ranked at the 32.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AU-3 (Content of Audit Records) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-22168 is an approval-integrity mismatch vulnerability in the system.run component of OpenClaw versions prior to 2026.2.21. This issue affects trusted Windows nodes, where authenticated operators can execute arbitrary trailing arguments appended after "cmd.exe /c" while the approval text displays only a benign command. Classified under CWE-88 (Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')), it carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) and was published on 2026-03-18.

Authenticated operators with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation smuggles malicious arguments through "cmd.exe /c," enabling arbitrary local command execution on affected Windows nodes and producing mismatched audit logs that fail to capture the true commands run, potentially exposing sensitive data due to the high confidentiality impact (C:H).

Advisories recommend mitigation by upgrading to OpenClaw version 2026.2.21 or later. Relevant details are provided in the patching commit at https://github.com/openclaw/openclaw/commit/6007941f04df1edcca679dd6c95949744fdbd4df, the GitHub security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-5v6x-rfc3-7qfr, and the Vulncheck advisory at https://www.vulncheck.com/advisories/openclaw-command-injection-via-cmd-exe-c-trailing-arguments-in-system-run.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OpenClaw versions prior to 2026.2.21 contain an approval-integrity mismatch vulnerability in system.run that allows authenticated operators to execute arbitrary trailing arguments after cmd.exe /c while approval text reflects only a benign command. Attackers can smuggle malicious arguments through cmd.exe /c…

more

to achieve local command execution on trusted Windows nodes with mismatched audit logs.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.003 Windows Command Shell Execution
Adversaries may abuse the Windows command shell for execution.
Why these techniques?

Argument injection into cmd.exe /c directly enables arbitrary Windows command execution by authenticated operators.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32000Same product: Openclaw Openclaw
CVE-2026-31999Same product: Openclaw Openclaw
CVE-2026-22176Same product: Openclaw Openclaw
CVE-2026-28391Same product: Openclaw Openclaw
CVE-2026-27646Same product: Openclaw Openclaw
CVE-2026-32924Same product: Openclaw Openclaw
CVE-2026-42431Same product: Openclaw Openclaw
CVE-2026-27523Same product: Openclaw Openclaw
CVE-2026-28463Same product: Openclaw Openclaw
CVE-2026-41394Same product: Openclaw Openclaw

Affected Assets

openclaw
openclaw
≤ 2026.2.21

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires validation and sanitization of inputs to the system.run function to neutralize argument delimiters and prevent smuggling of arbitrary trailing arguments after cmd.exe /c.

prevent

SI-2 mandates timely flaw remediation by patching OpenClaw to version 2026.2.21 or later, directly eliminating the approval-integrity mismatch vulnerability.

detect

AU-3 ensures audit records capture the full actual command executed, including smuggled arguments, to reveal mismatches between approved text and true execution for detection.

References