CVE-2026-32056
OpenClaw prior to version 2026.2.22 is vulnerable to remote code execution via shell startup environment variable injection in system.run. The root cause is failure to sanitize HOME and ZDOTDIR, allowing an attacker to place startup files (e.g., .bash_profile or .zshenv) that are read before allo...