Cyber Resilience

CVE-2026-31999

MediumPublic PoC

Published: 19 March 2026

Published
19 March 2026
Modified
19 March 2026
KEV Added
Patch
CVSS Score v4 5.8 CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0009 25.9th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31999 is a medium-severity OS Command Injection (CWE-78) vulnerability in Openclaw Openclaw. Its CVSS base score is 5.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Windows Command Shell (T1059.003); ranked at the 25.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-31999 is a current working directory injection vulnerability in OpenClaw versions 2026.2.26 prior to 2026.3.1 on Windows. The flaw occurs in the wrapper resolution process for .cmd and .bat files, where attackers can manipulate the current working directory (CWD) to influence execution behavior. Published on 2026-03-19, it is rated 6.3 on CVSS 3.1 (AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H) and maps to CWE-78 (OS Command Injection).

Local attackers with low privileges can exploit this through improper shell execution fallback mechanisms by controlling the CWD during wrapper resolution. This enables command execution integrity loss, potentially allowing arbitrary influence over executed commands without confidentiality impact but with high integrity and availability effects. Despite the description noting remote attackers, the CVSS vector specifies local access (AV:L) with high attack complexity (AC:H).

Advisories recommend upgrading to OpenClaw 2026.3.1 or later to mitigate the vulnerability. Additional details are available in the GitHub security advisory (GHSA-6f6j-wx9w-ff4j) and VulnCheck advisory on the CWD injection via Windows wrapper resolution fallback.

EU & UK References

Vulnerability details

OpenClaw versions 2026.2.26 prior to 2026.3.1 on Windows contain a current working directory injection vulnerability in wrapper resolution for .cmd/.bat files that allows attackers to influence execution behavior through cwd manipulation. Remote attackers can exploit improper shell execution fallback mechanisms…

more

to achieve command execution integrity loss by controlling the current working directory during wrapper resolution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.003 Windows Command Shell Execution
Adversaries may abuse the Windows command shell for execution.
T1574.008 Path Interception by Search Order Hijacking Stealth
Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs.
Why these techniques?

CWD manipulation during .cmd/.bat wrapper resolution directly enables path/search-order hijacking (T1574.008) that results in attacker-controlled command execution via the Windows Command Shell (T1059.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-32000Same product: Openclaw Openclaw
CVE-2026-28391Same product: Openclaw Openclaw
CVE-2026-22176Same product: Openclaw Openclaw
CVE-2026-28460Same product: Openclaw Openclaw
CVE-2026-32034Same product: Openclaw Openclaw
CVE-2026-32010Same product: Openclaw Openclaw
CVE-2026-27566Same product: Openclaw Openclaw
CVE-2026-31996Same product: Openclaw Openclaw
CVE-2026-28470Same product: Openclaw Openclaw
CVE-2026-29607Same product: Openclaw Openclaw

Affected Assets

openclaw
openclaw
2026.2.26 — 2026.3.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2026-31999 by requiring timely identification, reporting, and patching of the specific flaw in OpenClaw wrapper resolution to version 2026.3.1 or later.

prevent

Requires validation of inputs like current working directory paths during wrapper resolution to prevent CWD injection and command execution integrity loss.

detect

Enables monitoring of system processes and execution anomalies to detect exploitation attempts via manipulated CWD leading to unauthorized command execution.

References