What is CVE-2026-44115?

CVE-2026-44115 is a high-severity vulnerability in Openclaw, classified under Incomplete List of Disallowed Inputs. CVSS score: 8.8/10. Published 2026-05-06.

How severe is CVE-2026-44115?

High severity. CVSS v3 base score is 8.8 out of 10.

Vulnerability in Openclaw

CVE-2026-44115

OpenClaw before 2026.4.22 contains an exec allowlist analysis vulnerability allowing shell expansion hiding in unquoted heredoc bodies. Attackers can bypass allowlist validation by embedding shell expansion tokens in heredoc bodies to exec…

EPSS: 0.001 (25.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.8 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

Affected products

Openclaw — versions 0, 2026.4.22

Weakness classification (CWE)

CWE-184 — Incomplete List of Disallowed Inputs

References

Patch Commit (Patch, patch)
GitHub Security Advisory (GHSA-x3h8-jrgh-p8jx) (vendor-advisory, Mitigation, Vendor Advisory)
VulnCheck Advisory: OpenClaw < 2026.4.22 - Shell Expansion Bypass in Unquoted Heredocs via Exec Allowlist (Third Party Advisory, third-party-advisory)

Frequently asked questions

What is CVE-2026-44115?: CVE-2026-44115 is a high-severity vulnerability in Openclaw, classified under Incomplete List of Disallowed Inputs. CVSS score: 8.8/10. Published 2026-05-06.
How severe is CVE-2026-44115?: High severity. CVSS v3 base score is 8.8 out of 10.