CVE-2026-31999 MEDIUM

CVE-2026-31999: OpenClaw 2026.2.26 < 2026.3.1 - Current Working Directory Injection via Windows Wrapper Resolution Fallback

Vendor Openclaw
Product OpenClaw
Weakness CWE-78
Published March 19, 2026
Last update March 23, 2026

CVSS base score

5.8/10
Attack vector Local
Attack complexity High
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OpenClaw versions 2026.2.26 prior to 2026.3.1 on Windows contain a current working directory injection vulnerability in wrapper resolution for .cmd/.bat files that allows attackers to influence execution behavior through cwd manipulation. Remote attackers can exploit improper shell execution fallback mechanisms to achieve command execution integrity loss by controlling the current working directory during wrapper resolution.

Key dates

02Disclosure timeline

March 19, 2026 CVE published
March 23, 2026 Record updated