Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.6
OpenClaw Allows Malicious Code Execution via Shell Wrapper
GHSA-2fgq-7j6h-9rm4
Summary
OpenClaw's system.run feature allows attackers to inject malicious code through environment variables, potentially allowing them to execute commands outside of intended limits. This affects OpenClaw versions up to 2026.2.21-2. To fix, the developers are blocking certain environment variables and restricting which variables can be overridden in shell wrappers. Affected users should wait for the next release, version 2026.2.22, which will include the fix.
What to do
- Update openclaw to version 2026.2.22.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.22 | 2026.2.22 |
Original title
OpenClaw has system.run shell-wrapper env injection via SHELLOPTS/PS4 can bypass allowlist intent (RCE)
Original description
### Summary
`system.run` allowed `SHELLOPTS` + `PS4` environment injection to trigger command substitution during `bash -lc` xtrace expansion before the allowlisted command body executed.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected: `<= 2026.2.21-2` (includes latest published npm version at triage time)
- Patched (planned next release): `2026.2.22`
### Impact
In `allowlist` mode, an attacker who can invoke `system.run` with request-scoped `env` could execute additional shell commands outside the intended allowlisted command body.
### Root Cause
Host exec env sanitization blocked startup-file vectors (`BASH_ENV`, `ENV`, etc.) but did not block `SHELLOPTS`/`PS4`. For shell wrappers (`bash|sh|zsh ... -c/-lc`), request env overrides were passed through and `bash` evaluated `PS4` under `xtrace`, enabling command substitution.
### Fix
- Block `SHELLOPTS` and `PS4` in host exec env sanitizers (Node + macOS).
- For shell wrappers (`bash|sh|zsh ... -c/-lc`), reduce request-scoped env overrides to an explicit allowlist (`TERM`, `LANG`, `LC_*`, `COLORTERM`, `NO_COLOR`, `FORCE_COLOR`).
- Add regression tests for TS and macOS paths.
### Fix Commit(s)
- `e80c803fa887f9699ad87a9e906ab5c1ff85bd9a`
### Release Process Note
`patched_versions` is pre-set to the planned next release (`2026.2.22`). Once npm release `2026.2.22` is published, advisory publication is a final state action only.
### Severity Rationale
This advisory is rated **medium** because exploitation requires a caller that can already invoke `system.run` with request-scoped `env`.
Under OpenClaw's documented trust model (`SECURITY.md`), authenticated Gateway callers are treated as trusted operators, and adversarial multi-operator / prompt-injection scenarios are out of scope.
The bug remains a real allowlist-intent bypass, but it does not cross a separate trust boundary in the documented deployment assumptions.
OpenClaw thanks @tdjackey for reporting.
`system.run` allowed `SHELLOPTS` + `PS4` environment injection to trigger command substitution during `bash -lc` xtrace expansion before the allowlisted command body executed.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected: `<= 2026.2.21-2` (includes latest published npm version at triage time)
- Patched (planned next release): `2026.2.22`
### Impact
In `allowlist` mode, an attacker who can invoke `system.run` with request-scoped `env` could execute additional shell commands outside the intended allowlisted command body.
### Root Cause
Host exec env sanitization blocked startup-file vectors (`BASH_ENV`, `ENV`, etc.) but did not block `SHELLOPTS`/`PS4`. For shell wrappers (`bash|sh|zsh ... -c/-lc`), request env overrides were passed through and `bash` evaluated `PS4` under `xtrace`, enabling command substitution.
### Fix
- Block `SHELLOPTS` and `PS4` in host exec env sanitizers (Node + macOS).
- For shell wrappers (`bash|sh|zsh ... -c/-lc`), reduce request-scoped env overrides to an explicit allowlist (`TERM`, `LANG`, `LC_*`, `COLORTERM`, `NO_COLOR`, `FORCE_COLOR`).
- Add regression tests for TS and macOS paths.
### Fix Commit(s)
- `e80c803fa887f9699ad87a9e906ab5c1ff85bd9a`
### Release Process Note
`patched_versions` is pre-set to the planned next release (`2026.2.22`). Once npm release `2026.2.22` is published, advisory publication is a final state action only.
### Severity Rationale
This advisory is rated **medium** because exploitation requires a caller that can already invoke `system.run` with request-scoped `env`.
Under OpenClaw's documented trust model (`SECURITY.md`), authenticated Gateway callers are treated as trusted operators, and adversarial multi-operator / prompt-injection scenarios are out of scope.
The bug remains a real allowlist-intent bypass, but it does not cross a separate trust boundary in the documented deployment assumptions.
OpenClaw thanks @tdjackey for reporting.
ghsa CVSS3.1
6.6
Vulnerability type
CWE-15
CWE-78
OS Command Injection
Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026