CVE-2026-34425

MEDIUM 5.4

OpenClaw - Shell-Bleed Protection Preflight Validation Bypass

CVSS Score

5.4

EPSS Score

0.0%

EPSS Percentile

0th

OpenClaw versions prior to commit 8aceaf5 contain a preflight validation bypass vulnerability in shell-bleed protection that allows attackers to execute blocked script content by using piped or complex command forms that the parser fails to recognize. Attackers can craft commands such as piped execution, command substitution, or subshell invocation to bypass the validateScriptFileForShellBleed() validation checks and execute arbitrary script content that would otherwise be blocked.

CWE	CWE-184
Vendor	openclaw
Product	openclaw
Published	Apr 2, 2026
Last Updated	Apr 3, 2026

Stay Ahead of the Next One

Get instant alerts for openclaw openclaw

Be the first to know when new medium vulnerabilities affecting openclaw openclaw are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

OpenClaw / OpenClaw

0 < 8aceaf5d0f0ec552b75a792f7f0a3bfa5b091513

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/openclaw/openclaw/security/advisories/GHSA-fvx6-pj3r-5q4q github.com: https://github.com/openclaw/openclaw/commit/8aceaf5d0f0ec552b75a792f7f0a3bfa5b091513 vulncheck.com: https://www.vulncheck.com/advisories/openclaw-shell-bleed-protection-preflight-validation-bypass

Credits

🔍 Zhijie Zhang