CVE-2026-26323
Received Received - Intake
Command Injection in OpenClaw Maintainer Script via Malicious Git Metadata

Publication date: 2026-02-19

Last updated on: 2026-02-20

Assigner: GitHub, Inc.

Description
OpenClaw is a personal AI assistant. Versions 2026.1.8 through 2026.2.13 have a command injection in the maintainer/dev script `scripts/update-clawtributors.ts`. The issue affects contributors/maintainers (or CI) who run `bun scripts/update-clawtributors.ts` in a source checkout that contains a malicious commit author email (e.g. crafted `@users[.]noreply[.]github[.]com` values). Normal CLI usage is not affected (`npm i -g openclaw`): this script is not part of the shipped CLI and is not executed during routine operation. The script derived a GitHub login from `git log` author metadata and interpolated it into a shell command (via `execSync`). A malicious commit record could inject shell metacharacters and execute arbitrary commands when the script is run. Version 2026.2.14 contains a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-19
Last Modified
2026-02-20
Generated
2026-06-10
AI Q&A
2026-02-20
EPSS Evaluated
2026-06-08
NVD
CVE-2026-26323
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw From 2026.1.8 (inc) to 2026.2.14 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in OpenClaw versions 2026.1.8 through 2026.2.13 in a maintainer/developer script called `scripts/update-clawtributors.ts`. The script processes Git commit author metadata and uses it to build shell commands. If a malicious commit author email is crafted with shell metacharacters, it can inject and execute arbitrary commands when the script is run by contributors, maintainers, or continuous integration systems.

Normal users running the OpenClaw CLI as installed globally are not affected because this script is not part of the shipped CLI and is not executed during routine operation.

The vulnerability was fixed in version 2026.2.14.

Impact Analysis

If you are a contributor, maintainer, or running continuous integration that executes the vulnerable script `scripts/update-clawtributors.ts`, a malicious commit author email could cause arbitrary shell commands to run on your system.

This could lead to unauthorized code execution, potentially compromising your development environment or CI infrastructure.

However, normal users of the OpenClaw CLI who do not run this script are not impacted.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by checking if the vulnerable script `scripts/update-clawtributors.ts` is present and used in your source checkout, especially if it is run with `bun scripts/update-clawtributors.ts`.

You can inspect the git commit author emails for suspicious or malicious entries that might contain shell metacharacters or crafted email addresses such as those mimicking `@users.noreply.github.com` with injected commands.

  • Run a command to list commit author emails and look for suspicious patterns, for example: `git log --format='%ae' | grep -E '[;&|`$()]'`
  • Check if the vulnerable script is executed in your environment by searching for usage of `bun scripts/update-clawtributors.ts` in CI or maintainer workflows.
Mitigation Strategies

The immediate mitigation is to upgrade OpenClaw to version 2026.2.14 or later, which contains a patch for this vulnerability.

Avoid running the vulnerable script `scripts/update-clawtributors.ts` on source checkouts that may contain untrusted or malicious commit author metadata.

Review and sanitize commit author emails in your repository to ensure they do not contain shell metacharacters or malicious payloads.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26323. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart