CVE-2026-27486

Feb. 21, 2026, 10:16 a.m.

4.3
Medium

Description

OpenClaw is a personal AI assistant. In versions 2026.2.13 and below of the OpenClaw CLI, the process cleanup uses system-wide process enumeration and pattern matching to terminate processes without verifying if they are owned by the current OpenClaw process. On shared hosts, unrelated processes can be terminated if they match the pattern. The CLI runner cleanup helpers can kill processes matched by command-line patterns without validating process ownership. This issue has been fixed in version 2026.2.14.

Product(s) Impacted

Vendor Product Versions
Openclaw
  • Openclaw Cli
  • <2026.2.14

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-283
Unverified Ownership
The product does not properly verify that a critical resource is owned by the proper entity.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a openclaw openclaw_cli <2026.2.14 / / / / / / /

References

https://github.com/openclaw/openclaw/commit/6084d13b956119e3cf95daaf9a1cae1670ea3557
https://github.com/openclaw/openclaw/commit/eb60e2e1b213740c3c587a7ba4dbf10da620ca66
https://github.com/openclaw/openclaw/releases/tag/v2026.2.14
https://github.com/openclaw/openclaw/security/advisories/GHSA-jfv4-h8mc-jcp8

Tags

[email protected]
CWE-283
2026-02-21
CVE-2026-27486

CVSS Score

4.3 / 10

CVSS Data - 4.0

  • Attack Vector: LOCAL
  • Attack Complexity: LOW
  • Attack Requirements: PRESENT
  • Privileges Required: LOW
  • User Interaction: NONE
  • Scope:
  • Confidentiality Impact: NONE
  • Integrity Impact: NONE
  • Availability Impact: NONE
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: Feb. 21, 2026, 10:16 a.m.
Last Modified: Feb. 21, 2026, 10:16 a.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.