Command Injection Affecting github.com/openclaw/openclaw package, versions <2026.1.29


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.94% (56th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-SWIFT-OPENCLAWOPENCLAW-15202437
  • published4 Feb 2026
  • disclosed2 Feb 2026
  • creditkirolos gerges ayad

Introduced: 2 Feb 2026

CVE-2026-25157  (opens in a new tab)
CWE-78  (opens in a new tab)

How to fix?

Upgrade openclaw/openclaw to version 2026.1.29 or higher.

Overview

Affected versions of this package are vulnerable to Command Injection via improper handling of user-supplied input in the sshNodeCommand and parseSSHTarget functions. An attacker can execute arbitrary commands on the local machine or a remote SSH host by supplying specially crafted project paths or SSH target strings.

References

CVSS Base Scores

version 4.0
version 3.1