Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.7
OpenClaw versions fail to sanitize environment variables, allowing command bypass
CVE-2026-32056
Summary
Old versions of OpenClaw don't properly clean up environment variables, which could let attackers sneak in malicious code before security checks. This means an attacker could run unauthorized commands on your system. Update to OpenClaw 2026.2.22 or later to fix this issue.
Original title
OpenClaw versions prior to 2026.2.22 fail to sanitize shell startup environment variables HOME and ZDOTDIR in the system.run function, allowing attackers to bypass command allowlist protections. Re...
Original description
OpenClaw versions prior to 2026.2.22 fail to sanitize shell startup environment variables HOME and ZDOTDIR in the system.run function, allowing attackers to bypass command allowlist protections. Remote attackers can inject malicious startup files such as .bash_profile or .zshenv to achieve arbitrary code execution before allowlist-evaluated commands are executed.
nvd CVSS3.1
7.5
nvd CVSS4.0
7.7
Vulnerability type
CWE-78
OS Command Injection
Published: 21 Mar 2026 · Updated: 21 Mar 2026 · First seen: 21 Mar 2026