CVE-2026-25157: OpenClaw/Clawdbot has OS Command Injection via Project Root Path in sshNodeCommand

February 2, 2026

Two related vulnerabilities existed in the macOS application’s SSH remote connection handling (CommandResolver.swift):

References

github.com/advisories/GHSA-q284-4pvr-m585
github.com/openclaw/openclaw
github.com/openclaw/openclaw/security/advisories/GHSA-q284-4pvr-m585
nvd.nist.gov/vuln/detail/CVE-2026-25157

Code Behaviors & Features

Detect and mitigate CVE-2026-25157 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →