CVE-2026-29610
HIGHOpenClaw <2026.2.14 - Command Injection
Title source: llmDescription
OpenClaw versions prior to 2026.2.14 contain a command hijacking vulnerability that allows attackers to execute unintended binaries by manipulating PATH environment variables through node-host execution or project-local bootstrapping. Attackers with authenticated access to node-host execution surfaces or those running OpenClaw in attacker-controlled directories can place malicious executables in PATH to override allowlisted safe-bin commands and achieve arbitrary command execution.
Scores
CVSS v3
8.8
EPSS
0.0006
EPSS Percentile
19.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Classification
CWE
CWE-427
Status
draft
Affected Products (1)
npm/openclaw
< 2026.2.14npm
Timeline
Published
Mar 05, 2026
Tracked Since
Mar 06, 2026