CVE-2026-26323 – OpenClaw versions 2026.1.8 through 2026.2.13 ha... (How to Fix)

Q: What is the severity of CVE-2026-26323?

CVE-2026-26323 has a CVSS score of 8.8 (HIGH). OpenClaw versions 2026.1.8 through 2026.2.13 have a command injection vulnerability in a developer script that processes git commit metadata. When maintainers or CI systems run the affected script, malicious commit author emails can execute arbitrary shell commands. Only developers and CI environments running the script from source are affected - normal CLI users are not vulnerable.

📋 TL;DR

OpenClaw versions 2026.1.8 through 2026.2.13 have a command injection vulnerability in a developer script that processes git commit metadata. When maintainers or CI systems run the affected script, malicious commit author emails can execute arbitrary shell commands. Only developers and CI environments running the script from source are affected - normal CLI users are not vulnerable.

💻 Affected Systems

Products:

OpenClaw

Versions: 2026.1.8 through 2026.2.13

Operating Systems: All platforms where the script can be executed

Default Config Vulnerable: ✅ No

Notes: Only affects source checkouts where developers run the update-clawtributors.ts script. Normal npm installations are not vulnerable.

📦 What is this software?

Openclaw by Openclaw

View all CVEs affecting Openclaw →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the developer's system or CI environment, allowing attackers to steal credentials, deploy malware, or pivot to other systems.

🟠

Likely Case

Limited impact on individual developer machines or isolated CI runners, potentially leading to credential theft or code modification.

🟢

If Mitigated

No impact if developers don't run the script or have updated to patched versions.

🌐 Internet-Facing: LOW - The script is not part of the shipped application and requires local execution.

🏢 Internal Only: MEDIUM - Developer workstations and CI/CD pipelines running the script could be compromised.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires ability to inject malicious commit metadata into the repository and for developers to run the affected script.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2026.2.14

Vendor Advisory: https://github.com/openclaw/openclaw/security/advisories/GHSA-m7x8-2w3w-pr42

Restart Required: No

Instructions:

1. Update OpenClaw to version 2026.2.14 or later. 2. For source checkouts: git pull to get latest commit with fix. 3. Verify the script no longer uses unsafe shell command interpolation.

🔧 Temporary Workarounds

Avoid running the vulnerable script

all

Do not execute the update-clawtributors.ts script from affected versions

# Do not run: bun scripts/update-clawtributors.ts

Sanitize git commit history

all

Review and clean commit history to remove potentially malicious author emails

git log --format="%ae" | grep -E '[;&|`$]'
# Review suspicious emails

🧯 If You Can't Patch

Implement strict code review processes to prevent malicious commits
Run developer scripts in isolated containers or sandboxed environments

🔍 How to Verify

Check if Vulnerable:

Check OpenClaw version: if between 2026.1.8 and 2026.2.13, and you run scripts/update-clawtributors.ts from source, you are vulnerable.

Check Version:

openclaw --version or check package.json version field

Verify Fix Applied:

Verify version is 2026.2.14 or later, and check that the script uses safe command execution methods.

📡 Detection & Monitoring

Log Indicators:

Unexpected shell commands executed during script runs
Suspicious process spawns from bun/node processes

Network Indicators:

Unexpected outbound connections from developer workstations during script execution

SIEM Query:

Process execution where parent_process contains 'bun' or 'node' and command_line contains 'update-clawtributors'

📊 Metadata

CVE ID: CVE-2026-26323

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: February 19, 2026

Last Updated: February 20, 2026

🔗 References

https://github.com/openclaw/openclaw/commit/a429380e337152746031d290432a4b93aa553d55 Patch
https://github.com/openclaw/openclaw/releases/tag/v2026.2.14 Product,Release Notes
https://github.com/openclaw/openclaw/security/advisories/GHSA-m7x8-2w3w-pr42 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-26323, you might also want to check these: