{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/openclaw-before-2026.6.1/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-62200"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OpenClaw (before 2026.6.1)"],"_cs_severities":["high"],"_cs_tags":["vulnerability","rce","openclaw","git"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eOpenClaw versions before 2026.6.1 are affected by CVE-2026-62200, a critical vulnerability stemming from inadequate host exec environment filtering within its Git ext transport feature. This flaw, with a CVSS 3.1 base score of 8.8 (High), allows a lower-trust caller or a manipulated input path to execute or persist unauthorized actions. If the vulnerable feature is enabled and network-reachable, an attacker can bypass intended authorization boundaries, leading to arbitrary code execution on the underlying system. This poses a significant risk to organizations utilizing affected OpenClaw instances, as it could result in full system compromise, data exfiltration, or the establishment of persistent backdoors without the need for high-level authentication. Defenders should prioritize patching to prevent potential exploitation of this flaw.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access\u003c/strong\u003e: A lower-trust caller, such as an authenticated but low-privileged user, or a controlled input path, gains access to the vulnerable OpenClaw instance.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExploitation of Vulnerability\u003c/strong\u003e: The attacker crafts and submits malicious input specifically designed to abuse the Git ext transport feature.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEnvironment Filtering Bypass\u003c/strong\u003e: The crafted malicious input successfully bypasses the flawed host exec environment filtering mechanism within OpenClaw.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand Injection\u003c/strong\u003e: Due to the filtering bypass, the system misinterprets and processes the malicious input as legitimate commands.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnauthorized Execution\u003c/strong\u003e: The injected commands are executed on the host system, typically with the privileges of the OpenClaw application.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence Establishment (Optional)\u003c/strong\u003e: The attacker may leverage the newly gained execution primitive to establish persistence on the compromised system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact Achievement\u003c/strong\u003e: The attacker achieves their objective, which could include further system compromise, data exfiltration, or complete control over the affected system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-62200 could lead to unauthorized remote code execution on the server hosting the OpenClaw application. This level of access grants attackers the ability to compromise the entire system, leading to data theft, alteration, or destruction. Furthermore, attackers could establish persistent access, allowing them to maintain a foothold within the affected environment for future malicious activities, potentially impacting the confidentiality, integrity, and availability of critical systems and sensitive information. The vulnerability does not require high privileges for exploitation, expanding its potential reach.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-62200 immediately by upgrading OpenClaw to version 2026.6.1 or later.\u003c/li\u003e\n\u003cli\u003eReview access controls for OpenClaw instances to ensure only authorized and necessary personnel have access, reducing the exposure to lower-trust callers.\u003c/li\u003e\n\u003cli\u003eMonitor OpenClaw server logs for unusual process creation or network activity that could indicate attempts to exploit the Git ext transport feature.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-13T22:30:40Z","date_published":"2026-07-13T22:30:40Z","id":"https://feed.craftedsignal.io/briefs/2026-07-openclaw-git-ext-transport-rce/","summary":"A critical vulnerability, CVE-2026-62200, in OpenClaw versions before 2026.6.1 allows a lower-trust caller to execute or persist unauthorized actions via the Git ext transport feature, potentially leading to remote code execution due to improper host exec environment filtering.","title":"OpenClaw Git Ext Transport Vulnerability Allows Unauthorized Code Execution (CVE-2026-62200)","url":"https://feed.craftedsignal.io/briefs/2026-07-openclaw-git-ext-transport-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - OpenClaw (Before 2026.6.1)","version":"https://jsonfeed.org/version/1.1"}