CVE-2026-25157

High

Published: 04 February 2026

Published

04 February 2026

Modified

13 February 2026

KEV Added

—

Patch

—

CVSS Score 7.7 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS Score 0.0001 0.4th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25157 is a high-severity OS Command Injection (CWE-78) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 0.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Other AI Platforms.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).

Threat & Defense at a Glance

What attackers do: exploitation maps to Unix Shell (T1059.004) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Validates and sanitizes user-supplied project root paths and SSH target strings prior to use in shell commands or SSH invocations, directly preventing OS command injection.

SI-11 Error Handling good match

prevent

Ensures error handling in sshNodeCommand avoids interpolating unescaped user input into echo statements or shell scripts, blocking injection when cd fails.

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and patching of flaws like CVE-2026-25157, as demonstrated by the fix in OpenClaw version 2026.1.29.

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

OS command injection (CWE-78) in shell script construction and SSH argument parsing directly enables arbitrary Unix shell command execution (T1059.004) on local or remote hosts and exploitation of a client application for code execution (T1203) via crafted user-supplied inputs.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

OpenClaw is a personal AI assistant. Prior to version 2026.1.29, there is an OS command injection vulnerability via the Project Root Path in sshNodeCommand. The sshNodeCommand function constructed a shell script without properly escaping the user-supplied project path in an…

error message. When the cd command failed, the unescaped path was interpolated directly into an echo statement, allowing arbitrary command execution on the remote SSH host. The parseSSHTarget function did not validate that SSH target strings could not begin with a dash. An attacker-supplied target like -oProxyCommand=... would be interpreted as an SSH configuration flag rather than a hostname, allowing arbitrary command execution on the local machine. This issue has been patched in version 2026.1.29.

Deeper analysisAI

CVE-2026-25157 is an OS command injection vulnerability (CWE-78) affecting OpenClaw, a personal AI assistant, in versions prior to 2026.1.29. The issue manifests in two ways: first, the sshNodeCommand function constructs a shell script without properly escaping the user-supplied project root path in an error message; if the cd command fails, this unescaped path is interpolated into an echo statement, enabling arbitrary command execution on the remote SSH host. Second, the parseSSHTarget function fails to validate SSH target strings that begin with a dash, such as -oProxyCommand=..., causing the string to be interpreted as an SSH configuration flag rather than a hostname and allowing arbitrary command execution on the local machine. The vulnerability carries a CVSS v3.1 base score of 7.7 (AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

Exploitation requires local access (AV:L) with no privileges (PR:N) but high attack complexity (AC:H) and user interaction (UI:R), such as tricking a user into supplying a malicious project path or SSH target. An attacker could achieve arbitrary command execution either on the remote SSH host via a crafted project root path that triggers the faulty echo interpolation after a cd failure, or on the local machine by providing an SSH target prefixed with a dash to hijack SSH options like ProxyCommand.

The vulnerability has been addressed in OpenClaw version 2026.1.29. Additional details are available in the GitHub security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-q284-4pvr-m585.

Details

CWE(s): CWE-78

Affected Products

openclaw

≤ 2026.1.29

AI Security AnalysisAI

AI Category: Other AI Platforms
Risk Domain: N/A
OWASP Top 10 for LLMs 2025: None mapped
Classification Reason: Matched keywords: ai

CVEs Like This One

CVE-2026-27487Same product: Apple Macos

CVE-2026-32016Same product: Apple Macos

CVE-2026-26323Same product: Openclaw Openclaw

CVE-2026-24763Same product: Openclaw Openclaw

CVE-2026-22179Same product: Openclaw Openclaw

CVE-2026-32917Same product: Openclaw Openclaw

CVE-2026-28463Same product: Openclaw Openclaw

CVE-2026-27566Same product: Openclaw Openclaw

CVE-2026-32003Same product: Openclaw Openclaw

CVE-2026-32056Same product: Openclaw Openclaw

References

https://github.com/openclaw/openclaw/security/advisories/GHSA-q284-4pvr-m585
Vendor Advisory · security-advisories@github.com