Primary

Context

OpenClaw OS Command Injection Vulnerability in SSH Remote Connection Handling

Vulnerability

A command injection vulnerability has been identified in OpenClaw, a personal AI assistant, prior to version 2026.1.29. The issue arises in the macOS application's SSH remote connection handling, specifically within the sshNodeCommand function. This function improperly escapes user-supplied project paths, allowing arbitrary command execution on the remote SSH host. Additionally, the parseSSHTarget function fails to validate SSH target strings, enabling execution of commands on the local machine when an attacker-supplied target is used.

Impact

Exploitation of this vulnerability could lead to arbitrary code execution on the user's local machine or on a configured remote SSH host, depending on the input vector exploited.

Remediation

Users can update to OpenClaw version 2026.1.29 or later to address this vulnerability.

Added: Feb 4, 2026, 8:23 PM

Updated: Feb 4, 2026, 8:23 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.0

remediation

0.0

relevance

2.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.0

remediation

0.0

relevance

2.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenClaw OS Command Injection Vulnerability in SSH Remote Connection Handling

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating