OpenClaw Remote Command Injection via iMessage Attachment Staging (CVE-2026-32917)
OpenClaw before 2026.3.13 is vulnerable to remote command injection via unsanitized iMessage attachment paths passed to the SCP remote operand, allowing attackers to execute arbitrary commands on configured remote hosts when remote attachment staging is enabled.
OpenClaw, a software application whose specific function is not detailed in the provided context, is vulnerable to a remote command injection flaw. Specifically, versions prior to 2026.3.13 are susceptible. This vulnerability, identified as CVE-2026-32917, resides within the iMessage attachment staging process. Attackers can exploit this flaw by injecting shell metacharacters into unsanitized remote attachment paths. This occurs because these paths are directly passed to the SCP command…
Detection coverage 2
Detect Suspicious Network Activity from OpenClaw
highDetects network connections from OpenClaw that may indicate command injection activity.
Detect Suspicious Process Creation from OpenClaw
criticalDetects creation of shell processes from OpenClaw that may indicate command injection activity.
Detection queries are kept inside the platform. Get full rules →