CVE-2026-26323
Command Injection in OpenClaw Maintainer Script via Malicious Git Metadata
Publication date: 2026-02-19
Last updated on: 2026-02-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | From 2026.1.8 (inc) to 2026.2.14 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in OpenClaw versions 2026.1.8 through 2026.2.13 in a maintainer/developer script called `scripts/update-clawtributors.ts`. The script processes Git commit author metadata and uses it to build shell commands. If a malicious commit author email is crafted with shell metacharacters, it can inject and execute arbitrary commands when the script is run by contributors, maintainers, or continuous integration systems.
Normal users running the OpenClaw CLI as installed globally are not affected because this script is not part of the shipped CLI and is not executed during routine operation.
The vulnerability was fixed in version 2026.2.14.
How can this vulnerability impact me? :
If you are a contributor, maintainer, or running continuous integration that executes the vulnerable script `scripts/update-clawtributors.ts`, a malicious commit author email could cause arbitrary shell commands to run on your system.
This could lead to unauthorized code execution, potentially compromising your development environment or CI infrastructure.
However, normal users of the OpenClaw CLI who do not run this script are not impacted.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the vulnerable script `scripts/update-clawtributors.ts` is present and used in your source checkout, especially if it is run with `bun scripts/update-clawtributors.ts`.
You can inspect the git commit author emails for suspicious or malicious entries that might contain shell metacharacters or crafted email addresses such as those mimicking `@users.noreply.github.com` with injected commands.
- Run a command to list commit author emails and look for suspicious patterns, for example: `git log --format='%ae' | grep -E '[;&|`$()]'`
- Check if the vulnerable script is executed in your environment by searching for usage of `bun scripts/update-clawtributors.ts` in CI or maintainer workflows.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation is to upgrade OpenClaw to version 2026.2.14 or later, which contains a patch for this vulnerability.
Avoid running the vulnerable script `scripts/update-clawtributors.ts` on source checkouts that may contain untrusted or malicious commit author metadata.
Review and sanitize commit author emails in your repository to ensure they do not contain shell metacharacters or malicious payloads.