CVE-2026-32032
Published: 19 March 2026
Summary
CVE-2026-32032 is a high-severity Untrusted Search Path (CWE-426) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely remediation through upgrade to OpenClaw version 2026.2.22 or later.
Prevents arbitrary shell execution by enforcing validation of untrusted environment variables like the SHELL path.
Supports mitigation by establishing secure configuration settings that sanitize or restrict propagation of untrusted environment variables to the OpenClaw process.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local arbitrary command execution via malicious SHELL env var (untrusted search path) directly enables Unix shell interpreter abuse and privilege escalation from low-priv local access.
NVD Description
OpenClaw versions prior to 2026.2.22 contain an arbitrary shell execution vulnerability in shell environment fallback that trusts the unvalidated SHELL path from the host environment. An attacker with local environment access can inject a malicious SHELL variable to execute arbitrary…
more
commands with the privileges of the OpenClaw process.
Deeper analysisAI
CVE-2026-32032 is an arbitrary shell execution vulnerability in OpenClaw versions prior to 2026.2.22. The flaw occurs in the shell environment fallback mechanism, which trusts the unvalidated SHELL path variable from the host environment without proper validation, corresponding to CWE-426 (Untrusted Search Path). Published on 2026-03-19, it carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability.
An attacker with local access to the environment and low privileges (PR:L) can exploit the vulnerability with low complexity and no user interaction required. By injecting a malicious SHELL environment variable, the attacker can execute arbitrary commands with the privileges of the running OpenClaw process, potentially leading to full compromise of the affected system.
Mitigation is provided in OpenClaw version 2026.2.22 and later, via a fix in GitHub commit 25e89cc86338ef475d26be043aa541dfdb95e52a. Further details on the vulnerability and remediation are available in the GitHub security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-f8mp-vj46-cq8v and the VulnCheck advisory at https://www.vulncheck.com/advisories/openclaw-arbitrary-shell-execution-via-unvalidated-shell-environment-variable. Practitioners should upgrade immediately and sanitize environment variables in deployments.
Details
- CWE(s)