CVE-2026-32056

HIGH

OpenClaw < 2026.2.22 - Remote Code Execution via Shell Startup Environment Variable Injection in system.run

Title source: cna

Description

OpenClaw versions prior to 2026.2.22 fail to sanitize shell startup environment variables HOME and ZDOTDIR in the system.run function, allowing attackers to bypass command allowlist protections. Remote attackers can inject malicious startup files such as .bash_profile or .zshenv to achieve arbitrary code execution before allowlist-evaluated commands are executed.

References (3)

[Third Party Advisory] https://github.com/openclaw/openclaw/security/advisories/GHSA-xgf2-vxv2-rrmg

[Patch] https://github.com/openclaw/openclaw/commit/c2c7114ed39a547ab6276e1e933029b9530ee906

View Patch ZIP pw:eip

[Third Party Advisory] https://www.vulncheck.com/advisories/openclaw-remote-code-execution-via-shell-startup-environment-variable-injection-in-system-run

Scores

CVSS v3 7.5

EPSS 0.0016

EPSS Percentile 37.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (4)

npm/openclaw 0 - 2026.2.22npm

OpenClaw/OpenClaw < 2026.2.22

openclaw/openclaw < 2026.2.22

OpenClaw/OpenClaw 2026.2.22

Published Mar 21, 2026

Tracked Since Mar 21, 2026