Command Injection Affecting @openclaw/lobster package, versions <2026.2.19
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-OPENCLAWLOBSTER-15372220
- published4 Mar 2026
- disclosed3 Mar 2026
- credittdjackey
Introduced: 3 Mar 2026
CVE-2026-31995 (opens in a new tab)How to fix?
Upgrade @openclaw/lobster to version 2026.2.19 or higher.
Overview
@openclaw/lobster is an Adds the lobster agent tool as an optional plugin tool.
Affected versions of this package are vulnerable to Command Injection via the fallback process on Windows systems when certain spawn failures occur and shell: true is used. An attacker can execute arbitrary commands by supplying crafted arguments that are interpreted by cmd.exe if the fallback is triggered. This is only exploitable if the application is running on Windows, the fallback path is triggered (such as by specific spawn errors), and the attacker has control over the arguments passed through a local workflow.