Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.3
OpenClaw CLI: Unintended Process Termination on Shared Hosts
CVE-2026-27486
GHSA-jfv4-h8mc-jcp8
Summary
The OpenClaw CLI process cleanup feature can accidentally kill other processes on a shared host if their names match a pattern. This could cause unexpected downtime or data loss. To fix this, the OpenClaw team has updated the process cleanup to only target processes directly owned by the OpenClaw process. If you use OpenClaw, update to version 2026.2.14 or later to ensure your process cleanup is safe and secure.
What to do
- Update steipete openclaw to version 2026.2.14.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| steipete | openclaw | <= 2026.2.14 | 2026.2.14 |
| openclaw | openclaw | <= 2026.2.14 | – |
Original title
OpenClaw: Process Safety - Unvalidated PID Kill via SIGKILL in Process Cleanup
Original description
## Summary
OpenClaw CLI process cleanup used system-wide process enumeration and pattern matching to terminate processes without verifying they were owned by the current OpenClaw process. On shared hosts, unrelated processes could be terminated if they matched the pattern.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected: `< 2026.2.14` (including the latest published version `2026.2.13`)
- Fixed: `2026.2.14` (planned next release)
## Details
The CLI runner cleanup helpers could kill processes matched by command-line patterns without validating process ownership.
## Fix
Process cleanup is now scoped to owned processes only by filtering to direct child PIDs of the current process (`ppid == process.pid`) before sending signals.
Hardening follow-ups:
- Prefer graceful termination for resume cleanup (`SIGTERM`, then `SIGKILL` fallback).
- Reduce false negatives from `ps` argv truncation by preferring wide output (`ps -axww`) with a fallback.
- Tighten command-line token matching to avoid substring matches.
## Fix Commit(s)
- 6084d13b956119e3cf95daaf9a1cae1670ea3557
- eb60e2e1b213740c3c587a7ba4dbf10da620ca66
## Release Process Note
This advisory is pre-set with patched version `2026.2.14`. After `2026.2.14` is published to npm, the remaining step should be to publish this advisory.
Thanks @aether-ai-agent for reporting.
OpenClaw CLI process cleanup used system-wide process enumeration and pattern matching to terminate processes without verifying they were owned by the current OpenClaw process. On shared hosts, unrelated processes could be terminated if they matched the pattern.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected: `< 2026.2.14` (including the latest published version `2026.2.13`)
- Fixed: `2026.2.14` (planned next release)
## Details
The CLI runner cleanup helpers could kill processes matched by command-line patterns without validating process ownership.
## Fix
Process cleanup is now scoped to owned processes only by filtering to direct child PIDs of the current process (`ppid == process.pid`) before sending signals.
Hardening follow-ups:
- Prefer graceful termination for resume cleanup (`SIGTERM`, then `SIGKILL` fallback).
- Reduce false negatives from `ps` argv truncation by preferring wide output (`ps -axww`) with a fallback.
- Tighten command-line token matching to avoid substring matches.
## Fix Commit(s)
- 6084d13b956119e3cf95daaf9a1cae1670ea3557
- eb60e2e1b213740c3c587a7ba4dbf10da620ca66
## Release Process Note
This advisory is pre-set with patched version `2026.2.14`. After `2026.2.14` is published to npm, the remaining step should be to publish this advisory.
Thanks @aether-ai-agent for reporting.
nvd CVSS3.1
5.3
nvd CVSS4.0
4.3
Vulnerability type
CWE-283
- https://nvd.nist.gov/vuln/detail/CVE-2026-27486
- https://github.com/advisories/GHSA-jfv4-h8mc-jcp8
- https://github.com/openclaw/openclaw/commit/6084d13b956119e3cf95daaf9a1cae1670ea... Patch
- https://github.com/openclaw/openclaw/commit/eb60e2e1b213740c3c587a7ba4dbf10da620... Patch
- https://github.com/openclaw/openclaw/releases/tag/v2026.2.14 Release Notes
- https://github.com/openclaw/openclaw/security/advisories/GHSA-jfv4-h8mc-jcp8 Patch Vendor Advisory
Published: 18 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026