目標達成 すべての支援者に感謝 — 100%達成しました!

目標: 1000 CNY · 調達済み: 1336 CNY

100%

CVE-2026-26323— OpenClaw 操作系统命令注入漏洞

AI Predicted 6.5 Difficulty: Easy EPSS 1.71% · P75
新しい脆弱性情報の通知を購読するログインして購読

I. CVE-2026-26323の基本情報

脆弱性情報

脆弱性についてご質問がありますか?Shenlongの分析が参考になるかご確認ください!
Shenlongの10の質問を表示 ↗

高度な大規模言語モデル技術を使用していますが、出力には不正確または古い情報が含まれる可能性があります。Shenlongはデータの正確性を確保するよう努めていますが、実際の状況に基づいて検証・判断してください。

脆弱性タイトル
OpenClaw has a command injection in maintainer clawtributors updater
ソース: NVD (National Vulnerability Database)
脆弱性説明
OpenClaw is a personal AI assistant. Versions 2026.1.8 through 2026.2.13 have a command injection in the maintainer/dev script `scripts/update-clawtributors.ts`. The issue affects contributors/maintainers (or CI) who run `bun scripts/update-clawtributors.ts` in a source checkout that contains a malicious commit author email (e.g. crafted `@users[.]noreply[.]github[.]com` values). Normal CLI usage is not affected (`npm i -g openclaw`): this script is not part of the shipped CLI and is not executed during routine operation. The script derived a GitHub login from `git log` author metadata and interpolated it into a shell command (via `execSync`). A malicious commit record could inject shell metacharacters and execute arbitrary commands when the script is run. Version 2026.2.14 contains a patch.
ソース: NVD (National Vulnerability Database)
CVSS情報
N/A
ソース: NVD (National Vulnerability Database)
脆弱性タイプ
OS命令中使用的特殊元素转义处理不恰当(OS命令注入)
ソース: NVD (National Vulnerability Database)
脆弱性タイトル
OpenClaw 操作系统命令注入漏洞
ソース: CNNVD (China National Vulnerability Database)
脆弱性説明
OpenClaw是openclaw开源的一个智能人工助理。 OpenClaw 2026.1.8版本至2026.2.13版本存在操作系统命令注入漏洞,该漏洞源于维护者/开发脚本scripts/update-clawtributors.ts中存在命令注入,当运行包含恶意提交作者电子邮件的脚本时,可能导致执行任意命令。
ソース: CNNVD (China National Vulnerability Database)
CVSS情報
N/A
ソース: CNNVD (China National Vulnerability Database)
脆弱性タイプ
N/A
ソース: CNNVD (China National Vulnerability Database)

影響を受ける製品

ベンダープロダクト影響を受けるバージョンCPE購読
openclawopenclaw >= 2026.1.8, < 2026.2.14 -

II. CVE-2026-26323の公開POC

#POC説明ソースリンクShenlongリンク
AI生成POCプレミアム

公開POCは見つかりませんでした。

ログインしてAI POCを生成

III. CVE-2026-26323のインテリジェンス情報

登录查看更多情报信息。

CVE-2026-26323 厂商安全公告 (1)

Same Patch Batch · openclaw · 2026-02-19 · 22 CVEs total

CVE-2026-263227.6 HIGHOpenClaw Gateway tool allowed unrestricted gatewayUrl override
CVE-2026-263167.5 HIGHOpenClaw has BlueBubbles webhook auth bypass via loopback proxy trust
CVE-2026-263197.5 HIGHOpenClaw has Missing Webhook Authentication in Telnyx Provider Allowing Unauthenticated Re
CVE-2026-254747.5 HIGHOpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`
CVE-2026-263217.5 HIGHOpenClaw has a local file disclosure via sendMediaFeishu in Feishu extension
CVE-2026-263247.5 HIGHOpenClaw has a SSRF guard bypass via full-form IPv4-mapped IPv6 (loopback / metadata reach
CVE-2026-263257.2 HIGHOpenClaw Node host system.run rawCommand/command mismatch can bypass allowlist/approvals
CVE-2026-263177.1 HIGHOpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation e
CVE-2026-269726.7 MEDIUMOpenClaw has a Path Traversal in Browser Download Functionality
CVE-2026-263286.5 MEDIUMOpenClaw iMessage group allowlist authorization inherited DM pairing-store identities
CVE-2026-270095.8 MEDIUMOpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inl
CVE-2026-26327OpenClaw allows unauthenticated discovery TXT records to steer routing and TLS pinning
CVE-2026-26329OpenClaw has a path traversal in browser upload allows local file read
CVE-2026-26326OpenClaw skills.status could leak secrets to operator.read clients
CVE-2026-27001OpenClaw: Unsanitized CWD path injection into LLM prompts
CVE-2026-27002OpenClaw: Docker container escape via unvalidated bind mount config injection
CVE-2026-27003OpenClaw: Telegram bot token exposure via logs
CVE-2026-27004OpenClaw session tool visibility hardening and Telegram webhook secret fallback
CVE-2026-27007OpenClaw's sandbox config hash sorted primitive arrays and suppressed needed container rec
CVE-2026-27008OpenClaw hardened the skill download target directory validation

Showing 20 of 22 CVEs. View all on vendor page →

IV. 関連脆弱性

V. CVE-2026-26323へのコメント

まだコメントはありません


コメントを残す