3 matches found
CVE-2026-22177
OpenClaw versions prior to 2026.2.21 fail to filter dangerous process-control environment variables from config env.vars, allowing startup-time code execution. Attackers can inject variables like NODEOPTIONS or LD through configuration to execute arbitrary code in the OpenClaw gateway service...
GHSA-8FMP-37RC-P5G7 OpenClaw's config env vars allowed startup env injection into service runtime
Summary OpenClaw allowed dangerous process-control environment variables from env.vars for example NODEOPTIONS, LD, DYLD to flow into gateway service runtime environments, enabling startup-time code execution in the OpenClaw process context. Details collectConfigEnvVars accepted unfiltered keys...
OpenClaw's config env vars allowed startup env injection into service runtime
Summary OpenClaw allowed dangerous process-control environment variables from env.vars for example NODEOPTIONS, LD, DYLD to flow into gateway service runtime environments, enabling startup-time code execution in the OpenClaw process context. Details collectConfigEnvVars accepted unfiltered keys...