Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.5
OpenClaw's shell fallback can execute malicious code
GHSA-f8mp-vj46-cq8v
Summary
A security issue in OpenClaw could allow an attacker who has already compromised the local environment to execute malicious code by manipulating the SHELL environment variable. To fix this, the latest version of OpenClaw has been updated to safely validate the SHELL path and block untrusted overrides, and you should update to the latest version as soon as it's available.
What to do
- Update openclaw to version 2026.2.22.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.22 | 2026.2.22 |
Original title
OpenClaw's shell env fallback trusts unvalidated SHELL path from host environment
Original description
The shell environment fallback path could invoke an attacker-controlled shell when `SHELL` was inherited from an untrusted host environment. In affected builds, shell-env loading used `$SHELL -l -c 'env -0'` without validating that `SHELL` points to a trusted executable.
In threat-model terms, this requires local environment compromise or untrusted startup environment injection first; it is not a remote pre-auth path. The hardening patch validates `SHELL` as an absolute normalized executable, prefers `/etc/shells`, applies trusted-prefix fallback checks, and falls back safely to `/bin/sh` when validation fails. The dangerous env-var policy now also blocks `SHELL` overrides.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `<= 2026.2.21-2`
- Latest published vulnerable version: `2026.2.21-2`
- Patched versions (planned next release): `>= 2026.2.22`
## Fix Commit(s)
- `25e89cc86338ef475d26be043aa541dfdb95e52a`
## Release Process Note
The advisory pre-sets `patched_versions` to the planned next release (`2026.2.22`). After that npm release is published, maintainers can publish this advisory without further version-field edits.
OpenClaw thanks @athuljayaram for reporting.
In threat-model terms, this requires local environment compromise or untrusted startup environment injection first; it is not a remote pre-auth path. The hardening patch validates `SHELL` as an absolute normalized executable, prefers `/etc/shells`, applies trusted-prefix fallback checks, and falls back safely to `/bin/sh` when validation fails. The dangerous env-var policy now also blocks `SHELL` overrides.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `<= 2026.2.21-2`
- Latest published vulnerable version: `2026.2.21-2`
- Patched versions (planned next release): `>= 2026.2.22`
## Fix Commit(s)
- `25e89cc86338ef475d26be043aa541dfdb95e52a`
## Release Process Note
The advisory pre-sets `patched_versions` to the planned next release (`2026.2.22`). After that npm release is published, maintainers can publish this advisory without further version-field edits.
OpenClaw thanks @athuljayaram for reporting.
ghsa CVSS3.1
4.5
Vulnerability type
CWE-78
OS Command Injection
CWE-426
Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026