Attackers can execute arbitrary commands on remote servers configured with OpenClaw by sending a malicious iMessage attachment, leading to full remote system compromise.

A remote command injection vulnerability exists in the iMessage attachment staging flow. Unsanitized attachment paths containing shell metacharacters are passed directly to an SCP command. An unauthenticated attacker can craft a path that executes arbitrary commands on the remote host when attachment staging is enabled.

This vulnerability allows for the complete takeover of servers used for iMessage staging. Attackers can gain persistent access, exfiltrate private messages, and move laterally to other systems in the network. The CVSS score of 9.8 reflects the high severity of unauthenticated remote command execution on critical communication infrastructure.

Immediate Action: Update OpenClaw to version 2026.3.13 or later immediately. If patching is not possible, disable the remote attachment staging feature.

Proactive Monitoring: Monitor remote hosts for suspicious scp or ssh processes and inspect system logs for unusual file paths containing shell characters like ;, &, or |.

Compensating Controls: Implement strict SSH key management and limit the commands that the OpenClaw user can execute on remote hosts using rssh or similar restricted shell environments.

Public Exploit Available: No

Command injection via SCP operands is a well-understood but devastating flaw. Organizations relying on OpenClaw for message staging must prioritize the update to version 2026.3.13. Until the patch is applied, the remote staging feature should be considered unsafe and disabled.