Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.9
OpenClaw allows attackers to execute malicious code during startup
GHSA-8fmp-37rc-p5g7
CVE-2026-22177
Summary
OpenClaw's configuration allows unauthorized environment variables to be injected during startup, potentially allowing attackers to execute malicious code. This vulnerability affects OpenClaw versions up to 2026.2.19-2. To protect your system, update to version 2026.2.21 or later.
What to do
- Update steipete openclaw to version 2026.2.21.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| steipete | openclaw | <= 2026.2.21 | 2026.2.21 |
Original title
OpenClaw versions prior to 2026.2.21 fail to filter dangerous process-control environment variables from config env.vars, allowing startup-time code execution. Attackers can inject variables like N...
Original description
OpenClaw versions prior to 2026.2.21 fail to filter dangerous process-control environment variables from config env.vars, allowing startup-time code execution. Attackers can inject variables like NODE_OPTIONS or LD_* through configuration to execute arbitrary code in the OpenClaw gateway service runtime context.
osv CVSS4.0
8.9
Vulnerability type
CWE-15
Published: 18 Mar 2026 · Updated: 18 Mar 2026 · First seen: 18 Mar 2026