CVE-2026-9565
Deferred Deferred - Pending Action
Command Injection in WorkClaw Application

Publication date: 2026-05-26

Last updated on: 2026-05-26

Assigner: VulDB

Description
A vulnerability was determined in haojing8312 WorkClaw up to 0.6.4. This affects the function is_dangerous of the file apps/runtime/src-tauri/src/agent/tools/bash.rs of the component Blacklist Handler. Executing a manipulation can lead to os command injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-05-26
Generated
2026-06-16
AI Q&A
2026-05-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-9565
EUVD
EUVD-2026-31886
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
haojing8312 workclaw to 0.6.4 (inc)
haojing8312 workclaw From 0.1.0 (inc) to 0.6.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in CVE-2026-9565 is due to a flawed command filtering mechanism in the WorkClaw software, specifically in the is_dangerous function within the bash.rs file. This function uses an inadequate blacklist-based approach to detect dangerous commands, which fails because of critical design flaws.

  • Incomplete pattern coverage leading to bypasses (CWE-184).
  • Reliance on naive substring matching instead of proper command validation (CWE-183).
  • Lack of support for multi-spaces, tabs, absolute paths, shell syntax parsing, and effective case conversion.

As a result, multiple malicious command variants can bypass detection, including those with extra spaces, absolute paths, line breaks, quoted parameters, and commands not included in the limited blacklist. This allows an attacker to execute OS command injection remotely.

Impact Analysis

This vulnerability can allow an attacker to remotely execute arbitrary operating system commands on the affected system running WorkClaw. Because the blacklist filtering is ineffective, malicious commands can bypass detection and be executed.

Potential impacts include unauthorized access, manipulation or destruction of data, execution of malicious code, and compromise of the local environment where WorkClaw operates.

Given WorkClaw's role in managing AI employee teams and storing sensitive data locally, exploitation could lead to exposure or corruption of sensitive information.

Detection Guidance

The vulnerability in WorkClaw involves a flawed blacklist-based command filtering mechanism in the is_dangerous function, which fails to detect malicious commands due to incomplete pattern coverage and naive substring matching.

Detection on your system would involve monitoring for suspicious command executions that bypass the blacklist, especially those using variants with extra spaces, absolute paths, line breaks, quoted parameters, or commands not included in the limited blacklist.

Since the vulnerability is related to OS command injection, you can look for unusual or unexpected shell commands executed by the WorkClaw process.

  • Use process monitoring tools (e.g., `ps`, `top`, or `htop`) to identify WorkClaw processes and inspect their command lines.
  • Use system audit tools like `auditd` or `sysmon` to log command executions related to WorkClaw.
  • Run commands to check for suspicious processes or commands, for example: `ps aux | grep workclaw` or `pgrep -a workclaw`.
  • Monitor network traffic for unusual outbound connections initiated by WorkClaw that could indicate exploitation.
Mitigation Strategies

Immediate mitigation steps include updating WorkClaw to the latest patched version once available, as the vulnerability affects versions up to 0.6.4.

Review and tighten permission settings within WorkClaw to limit the ability to execute potentially dangerous commands.

Ensure secure configuration of the application, including restricting access to the runtime environment and avoiding running WorkClaw with elevated privileges.

Monitor for suspicious activity and consider disabling or restricting features that allow command execution until a fix is applied.

Follow official guidance and security disclosures from the WorkClaw project, including reviewing their SECURITY.md file for updates and recommended practices.

Compliance Impact

The CVE-2026-9565 vulnerability in WorkClaw involves a flawed command filtering mechanism that can lead to OS command injection, potentially allowing unauthorized access or malicious actions.

Given that WorkClaw stores sensitive data locally, including conversations and employee memories, exploitation of this vulnerability could result in unauthorized data access or manipulation.

Such unauthorized access or data compromise could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

Therefore, this vulnerability poses a risk to maintaining compliance with these standards by potentially exposing protected data through insufficient security controls.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9565. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart