Command Injection Affecting @openclaw/lobster package, versions <2026.2.19
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-OPENCLAWLOBSTER-15372220
- published4 Mar 2026
- disclosed3 Mar 2026
- credittdjackey
Introduced: 3 Mar 2026
New CVE NOT AVAILABLE CWE-78 (opens in a new tab)How to fix?
Upgrade @openclaw/lobster to version 2026.2.19 or higher.
Overview
@openclaw/lobster is an Adds the lobster agent tool as an optional plugin tool.
Affected versions of this package are vulnerable to Command Injection via the fallback process on Windows systems when certain spawn failures occur and shell: true is used. An attacker can execute arbitrary commands by supplying crafted arguments that are interpreted by cmd.exe if the fallback is triggered. This is only exploitable if the application is running on Windows, the fallback path is triggered (such as by specific spawn errors), and the attacker has control over the arguments passed through a local workflow.