CVE-2026-26323
EPSS 0.06%OpenClaw has a command injection in maintainer clawtributors updater
描述
### Summary Command injection in the maintainer/dev script `scripts/update-clawtributors.ts`. ### Impact Affects contributors/maintainers (or CI) who run `bun scripts/update-clawtributors.ts` in a source checkout that contains a malicious commit author email (e.g. crafted `@users.noreply.github.com` values). Normal CLI usage is not affected (`npm i -g openclaw`): this script is not part of the shipped CLI and is not executed during routine operation. ### Affected Versions - Source checkouts: tags `v2026.1.8` through `v2026.2.13` (inclusive) - Version range (structured): `>= 2026.1.8, < 2026.2.14` ### Details The script derived a GitHub login from `git log` author metadata and interpolated it into a shell command (via `execSync`). A malicious commit record could inject shell metacharacters and execute arbitrary commands when the script is run. ### Fix - Fix commit: `a429380e337152746031d290432a4b93aa553d55` - Planned patched version: `2026.2.14` ### Credits Thanks @scanleale and @MegaManSec (https://joshua.hu) of [AISLE Research Team](https://aisle.com/) for reporting.
受影響套件(1)
- npm/openclaw>= 2026.1.8, < 2026.2.14
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
參考連結(5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-26323
- PATCHhttps://github.com/openclaw/openclaw
- WEBhttps://github.com/openclaw/openclaw/commit/a429380e337152746031d290432a4b93aa553d55
- WEBhttps://github.com/openclaw/openclaw/releases/tag/v2026.2.14
- WEBhttps://github.com/openclaw/openclaw/security/advisories/GHSA-m7x8-2w3w-pr42