Cyber Resilience

CVE-2026-32052

MediumPublic PoCRCE

Published: 21 March 2026

Published
21 March 2026
Modified
23 March 2026
KEV Added
Patch
CVSS Score v4 5.8 CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0091 55.4th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-32052 is a medium-severity Interpretation Conflict (CWE-436) vulnerability in Openclaw Openclaw. Its CVSS base score is 5.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 44.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-32052 is a command injection vulnerability affecting OpenClaw versions prior to 2026.2.24, specifically in the system.run shell-wrapper component. The flaw allows attackers to execute hidden commands by injecting positional argv carriers after inline shell payloads, enabling them to craft misleading approval text while bypassing display context validation. It is rated with a CVSS v3.1 base score of 6.4 (AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:H) and is associated with CWE-436 (Interpretation Conflict) and CWE-77 (Command Injection).

Attackers with low privileges can exploit this vulnerability over the network, though it requires high attack complexity and user interaction. Successful exploitation allows arbitrary command execution, resulting in high integrity and availability impacts but no confidentiality impact.

Mitigation is addressed in OpenClaw GitHub commits 0f0a680d3df81739ea5088a2f88e65f938b7936b and 55cf92578d266987e390c4bf688196af98eac748, along with the GHSA-6rcp-vxwf-3mfp security advisory and a detailed analysis from VulnCheck at https://www.vulncheck.com/advisories/openclaw-hidden-command-execution-via-shell-wrapper-positional-argv-carriers. Users should upgrade to OpenClaw 2026.2.24 or later to patch the issue.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OpenClaw versions prior to 2026.2.24 contain a command injection vulnerability in the system.run shell-wrapper that allows attackers to execute hidden commands by injecting positional argv carriers after inline shell payloads. Attackers can craft misleading approval text while executing arbitrary commands…

more

through trailing positional arguments that bypass display context validation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection vulnerability in shell-wrapper enables remote exploitation for arbitrary Unix shell command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32063Same product: Openclaw Openclaw
CVE-2026-44115Same product: Openclaw Openclaw
CVE-2026-28466Same product: Openclaw Openclaw
CVE-2026-4039Same product: Openclaw Openclaw
CVE-2026-41352Same product: Openclaw Openclaw
CVE-2026-28463Same product: Openclaw Openclaw
CVE-2026-43530Same product: Openclaw Openclaw
CVE-2026-32032Same product: Openclaw Openclaw
CVE-2026-32003Same product: Openclaw Openclaw
CVE-2026-32922Same product: Openclaw Openclaw

Affected Assets

openclaw
openclaw
≤ 2026.2.24

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents command injection by validating inputs to the system.run shell-wrapper, blocking malicious positional argv carriers and inline shell payloads.

prevent

Ensures timely remediation of the specific command injection flaw through patching to OpenClaw 2026.2.24 or later.

prevent

Limits damage from exploited command injection by enforcing least privilege on low-privilege accounts (PR:L), restricting arbitrary command impact.

References