Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.3
OpenClaw: Malicious Code Can Run Before Commands - Update Needed
GHSA-w9cg-v44m-4qv8
Summary
An attacker can run their own code on your system by exploiting a vulnerability in OpenClaw. This can happen if they have local or privileged access to your system's configuration or environment settings. To fix this, update OpenClaw to the latest version, which will prevent malicious code from running before commands. This issue requires local or privileged access, so it's not a remote threat on its own, but still requires attention to ensure system security.
What to do
- Update openclaw to version 2026.2.21.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.21 | 2026.2.21 |
Original title
OpenClaw affected by BASH_ENV / ENV startup-file injection into spawned shell commands
Original description
### Summary
`BASH_ENV` / `ENV` startup-file injection could lead to unintended pre-command shell execution when attacker-controlled environment values were admitted and then inherited by host command execution paths.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected: `<= 2026.2.19-2`
- Fixed on `main`: `2cdbadee1f8fcaa93302d7debbfc529e19868ea4`
- Planned patched release version: `2026.2.21`
### Details
The fix hardens environment handling across all relevant execution paths:
- Blocks dangerous startup/runtime env keys and prefixes in shared host env sanitization.
- Sanitizes inherited ambient environment even when no per-request overrides are provided.
- Blocks dangerous config-driven env injection before values enter process environment.
- Uses the same sanitizer in macOS host execution paths.
- Aligns skill env override sanitization with the shared dangerous-env policy.
### Impact
Medium. Exploitation requires local/privileged influence over configuration or environment inputs; there is no standalone remote unauthenticated trigger from this issue alone.
### Fix Commit(s)
- `2cdbadee1f8fcaa93302d7debbfc529e19868ea4`
### Release Process Note
`patched_versions` is pre-set to the planned next release (`2026.2.21`). Once npm `[email protected]` is published, the advisory can be published without further field edits.
OpenClaw thanks @tdjackey for reporting.
`BASH_ENV` / `ENV` startup-file injection could lead to unintended pre-command shell execution when attacker-controlled environment values were admitted and then inherited by host command execution paths.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected: `<= 2026.2.19-2`
- Fixed on `main`: `2cdbadee1f8fcaa93302d7debbfc529e19868ea4`
- Planned patched release version: `2026.2.21`
### Details
The fix hardens environment handling across all relevant execution paths:
- Blocks dangerous startup/runtime env keys and prefixes in shared host env sanitization.
- Sanitizes inherited ambient environment even when no per-request overrides are provided.
- Blocks dangerous config-driven env injection before values enter process environment.
- Uses the same sanitizer in macOS host execution paths.
- Aligns skill env override sanitization with the shared dangerous-env policy.
### Impact
Medium. Exploitation requires local/privileged influence over configuration or environment inputs; there is no standalone remote unauthenticated trigger from this issue alone.
### Fix Commit(s)
- `2cdbadee1f8fcaa93302d7debbfc529e19868ea4`
### Release Process Note
`patched_versions` is pre-set to the planned next release (`2026.2.21`). Once npm `[email protected]` is published, the advisory can be published without further field edits.
OpenClaw thanks @tdjackey for reporting.
ghsa CVSS4.0
7.3
Vulnerability type
CWE-15
CWE-78
OS Command Injection
Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026