CVE-2026-31996

EUVD-2026-13031
OpenClaw versions prior to 2026.2.19 tools.exec.safeBins contains an input validation bypass vulnerability that allows attackers to execute unintended filesystem operations through sort output flags or recursive grep flags. Attackers with command execution access can leverage sort -o flag for arbitrary file writes or grep -R flag for recursive file reads, circumventing intended stdin-only restrictions.
OS Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
3.6 LOW
LOCAL
HIGH
LOW
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
VulnCheckCNA
3.6 LOW
LOCAL
HIGH
LOW
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
openclawopenclaw
𝑥
< 2026.2.19
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/openclaw/openclaw/commit/2c05cbb43e48ebad03626d3125746fb1b9a8520f
https://github.com/openclaw/openclaw/security/advisories/GHSA-4685-c5cp-vp95
https://www.vulncheck.com/advisories/openclaw-safebins-stdin-only-bypass-via-sort-output-and-recursive-grep-flags