CVE-2026-26323

Description

### Summary Command injection in the maintainer/dev script `scripts/update-clawtributors.ts`. ### Impact Affects contributors/maintainers (or CI) who run `bun scripts/update-clawtributors.ts` in a source checkout that contains a malicious commit author email (e.g. crafted `@users.noreply.github.com` values). Normal CLI usage is not affected (`npm i -g openclaw`): this script is not part of the shipped CLI and is not executed during routine operation. ### Affected Versions - Source checkouts: tags `v2026.1.8` through `v2026.2.13` (inclusive) - Version range (structured): `>= 2026.1.8, < 2026.2.14` ### Details The script derived a GitHub login from `git log` author metadata and interpolated it into a shell command (via `execSync`). A malicious commit record could inject shell metacharacters and execute arbitrary commands when the script is run. ### Fix - Fix commit: `a429380e337152746031d290432a4b93aa553d55` - Planned patched version: `2026.2.14` ### Credits Thanks @scanleale and @MegaManSec (https://joshua.hu) of [AISLE Research Team](https://aisle.com/) for reporting.

How to fix CVE-2026-26323

To remediate CVE-2026-26323, upgrade the affected package to a fixed version below.

• —upgrade to 2026.2.14 or later

Is CVE-2026-26323 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 2026.1.8, < 2026.2.14

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-26323
• PATCHgithub.com/openclaw/openclaw
• WEBgithub.com/openclaw/openclaw/commit/a429380e337152746031d290432a4b93aa553d55
• WEBgithub.com/openclaw/openclaw/releases/tag/v2026.2.14