CVE-2026-31995: OpenClaw has Windows Lobster shell fallback command injection in constrained fallback path
(updated )
On Windows, the Lobster extension previously retried certain spawn failures (ENOENT/EINVAL) with shell: true for wrapper compatibility. In that fallback path, tool-provided arguments could be interpreted by cmd.exe if fallback was triggered.
References
- github.com/advisories/GHSA-fg3m-vhrr-8gj6
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/ba7be018da354ea9f803ed356d20464df0437916
- github.com/openclaw/openclaw/security/advisories/GHSA-fg3m-vhrr-8gj6
- nvd.nist.gov/vuln/detail/CVE-2026-31995
- www.vulncheck.com/advisories/openclaw-command-injection-via-windows-shell-fallback-in-lobster-extension
Code Behaviors & Features
Detect and mitigate CVE-2026-31995 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →