Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
OpenClaw: Untrusted Environment Variables Can Be Executed
GHSA-5h2c-8v84-qpvr
Summary
A security issue in OpenClaw allows an attacker to influence the environment variables used by the login shell, potentially running malicious commands. This affects versions 2026.1.5 to 2026.2.21-2 of OpenClaw. To fix this issue, update to version 2026.2.22 or later, which includes hardening to prevent untrusted environment variables from being used. Until then, ensure that the SHELL, HOME, and ZDOTDIR environment variables are blocked in your OpenClaw configuration.
What to do
- Update openclaw to version 2026.2.22.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.22 | 2026.2.22 |
Original title
OpenClaw shell-env fallback trusted startup env and could execute attacker-influenced login-shell paths
Original description
### Summary
OpenClaw shell-env fallback trusted startup environment values and could execute attacker-influenced login-shell startup paths before loading env keys.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `>= 2026.1.5` and `<= 2026.2.21-2`
- Fixed on `main`: `9363c320d8ffe29290906752fab92621da02c3f7`
- Planned patched release version (pre-set): `2026.2.22`
### Details
The vulnerable chain was in the shell-env fallback path:
1. `src/infra/shell-env.ts`
- `resolveShell(env)` trusted `env.SHELL` when set.
- `execLoginShellEnvZero(...)` executed `${SHELL} -l -c "env -0"` with inherited runtime env.
2. `src/config/io.ts`
- Config env values were applied before shell fallback execution.
3. `src/config/env-vars.ts` / env policy coverage
- `SHELL` handling was hardened, but startup-path selectors (`HOME`, `ZDOTDIR`) still needed explicit blocking in config env ingestion and sanitization for shell fallback execution.
With env/config influence, this could trigger unintended command execution in shell startup processing on the OpenClaw host process context.
### Fix
Mainline hardening now:
- blocks `SHELL`, `HOME`, and `ZDOTDIR` during config env ingestion used by runtime fallback,
- sanitizes shell fallback execution env, pinning `HOME` to the real user home and dropping `ZDOTDIR` + dangerous startup vars,
- adds regression tests for config env ingestion and shell fallback/path-probe sanitization.
### Fix Commit(s)
- `9363c320d8ffe29290906752fab92621da02c3f7`
### Impact
- Local code-execution risk in environments where attacker-controlled env/config input can reach shell-env fallback.
- Under OpenClaw trust assumptions (`SECURITY.md`), this is not a public-remote issue and depends on crossing local trusted-operator boundaries.
### Release Process Note
`patched_versions` is intentionally pre-set to the planned next release (`2026.2.22`) so once npm release is out, maintainers can publish advisory immediately.
OpenClaw thanks @tdjackey for reporting.
OpenClaw shell-env fallback trusted startup environment values and could execute attacker-influenced login-shell startup paths before loading env keys.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `>= 2026.1.5` and `<= 2026.2.21-2`
- Fixed on `main`: `9363c320d8ffe29290906752fab92621da02c3f7`
- Planned patched release version (pre-set): `2026.2.22`
### Details
The vulnerable chain was in the shell-env fallback path:
1. `src/infra/shell-env.ts`
- `resolveShell(env)` trusted `env.SHELL` when set.
- `execLoginShellEnvZero(...)` executed `${SHELL} -l -c "env -0"` with inherited runtime env.
2. `src/config/io.ts`
- Config env values were applied before shell fallback execution.
3. `src/config/env-vars.ts` / env policy coverage
- `SHELL` handling was hardened, but startup-path selectors (`HOME`, `ZDOTDIR`) still needed explicit blocking in config env ingestion and sanitization for shell fallback execution.
With env/config influence, this could trigger unintended command execution in shell startup processing on the OpenClaw host process context.
### Fix
Mainline hardening now:
- blocks `SHELL`, `HOME`, and `ZDOTDIR` during config env ingestion used by runtime fallback,
- sanitizes shell fallback execution env, pinning `HOME` to the real user home and dropping `ZDOTDIR` + dangerous startup vars,
- adds regression tests for config env ingestion and shell fallback/path-probe sanitization.
### Fix Commit(s)
- `9363c320d8ffe29290906752fab92621da02c3f7`
### Impact
- Local code-execution risk in environments where attacker-controlled env/config input can reach shell-env fallback.
- Under OpenClaw trust assumptions (`SECURITY.md`), this is not a public-remote issue and depends on crossing local trusted-operator boundaries.
### Release Process Note
`patched_versions` is intentionally pre-set to the planned next release (`2026.2.22`) so once npm release is out, maintainers can publish advisory immediately.
OpenClaw thanks @tdjackey for reporting.
ghsa CVSS3.1
5.3
Vulnerability type
CWE-15
CWE-78
OS Command Injection
Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026