Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.3
OpenClaw Allows Malicious Startup Files to Run on Your System
GHSA-xgf2-vxv2-rrmg
Summary
A security issue in OpenClaw allows attackers to run malicious code on your system before the main command is executed. This can happen if you use OpenClaw version 2026.2.21-2 or earlier. To stay safe, update to the latest version, which is OpenClaw 2026.2.22 or higher.
What to do
- Update openclaw to version 2026.2.22.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.22 | 2026.2.22 |
Original title
OpenClaw's shell startup env injection bypasses system.run allowlist intent (RCE class)
Original description
### Summary
`system.run` environment sanitization allowed shell-startup env overrides (`HOME`, `ZDOTDIR`) that can execute attacker-controlled startup files before allowlist-evaluated command bodies.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected: `<= 2026.2.21-2` (latest published vulnerable version)
- Planned patched version: `>= 2026.2.22`
### Technical Details
In affected versions:
- Env sanitization blocked many dangerous keys, but not startup-sensitive override keys (`HOME`, `ZDOTDIR`) in host exec env paths.
- Shell-wrapper analysis for allowlist mode models command bodies, but not shell startup side effects.
- Runtime execution used sanitized env, so attacker-provided startup-key overrides could run hidden startup payloads first.
Observed exploit vectors:
- `HOME` + `bash -lc` + malicious `.bash_profile`
- `ZDOTDIR` + `zsh -c` + malicious `.zshenv`
### Fix Commit(s)
- `c2c7114ed39a547ab6276e1e933029b9530ee906`
### Release Process Note
`patched_versions` is pre-set to the planned next release (`>= 2026.2.22`). After the npm release is published, this advisory can be published directly.
OpenClaw thanks @tdjackey for reporting.
`system.run` environment sanitization allowed shell-startup env overrides (`HOME`, `ZDOTDIR`) that can execute attacker-controlled startup files before allowlist-evaluated command bodies.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected: `<= 2026.2.21-2` (latest published vulnerable version)
- Planned patched version: `>= 2026.2.22`
### Technical Details
In affected versions:
- Env sanitization blocked many dangerous keys, but not startup-sensitive override keys (`HOME`, `ZDOTDIR`) in host exec env paths.
- Shell-wrapper analysis for allowlist mode models command bodies, but not shell startup side effects.
- Runtime execution used sanitized env, so attacker-provided startup-key overrides could run hidden startup payloads first.
Observed exploit vectors:
- `HOME` + `bash -lc` + malicious `.bash_profile`
- `ZDOTDIR` + `zsh -c` + malicious `.zshenv`
### Fix Commit(s)
- `c2c7114ed39a547ab6276e1e933029b9530ee906`
### Release Process Note
`patched_versions` is pre-set to the planned next release (`>= 2026.2.22`). After the npm release is published, this advisory can be published directly.
OpenClaw thanks @tdjackey for reporting.
ghsa CVSS4.0
7.3
Vulnerability type
CWE-15
CWE-78
OS Command Injection
Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026