CVE-2026-32917 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: March 31, 2026
OpenClaw - Command Injection
Overview
OpenClaw < 2026.3.13 contains a command injection caused by unsanitized remote attachment paths with shell metacharacters in the iMessage attachment staging flow, letting attackers execute arbitrary commands on remote hosts, exploit requires remote attachment staging enabled.
Severity & Score
Impact
Attackers can execute arbitrary commands on configured remote hosts, potentially leading to full system compromise.
Mitigation
Update to version 2026.3.13 or later.
References
Social Media Activity(2 posts)
š“ CVE-2026-32917 - Critical (9.8) OpenClaw before 2026.3.13 contains a remote command injection vulnerability in the iMessage attachment staging flow that allows attackers to execute arbitrary commands on configured remote hosts. The vulnerability exists because unsanitized remote... š https://www.thehackerwire.com/vulnerability/CVE-2026-32917/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š“ CVE-2026-32917 - Critical (9.8) OpenClaw before 2026.3.13 contains a remote command injection vulnerability in the iMessage attachment staging flow that allows attackers to execute arbitrary commands on configured remote hosts. The vulnerability exists because unsanitized remote... š https://www.thehackerwire.com/vulnerability/CVE-2026-32917/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-32917
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- command_injection
- Status
- new
- EPSS
- 51.6%
- Social Posts
- 2
CWE
- CWE-78
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H