12 matches found
OpenClaw OS Command Injection Vulnerability (CNVD-2026-16044)
OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from an operating system command injection vulnerability. The vulnerability is caused by failing to filter the shell startup environment variables HOME and ZDOTDIR in the system.run function. An attacker ca...
EUVD-2026-13958
OpenClaw versions prior to 2026.2.22 fail to sanitize shell startup environment variables HOME and ZDOTDIR in the system.run function, allowing attackers to bypass command allowlist protections. Remote attackers can inject malicious startup files such as .bashprofile or .zshenv to achieve arbitra...
CVE-2026-32056
OpenClaw versions prior to 2026.2.22 fail to sanitize shell startup environment variables HOME and ZDOTDIR in the system.run function, allowing attackers to bypass command allowlist protections. Remote attackers can inject malicious startup files such as .bashprofile or .zshenv to achieve arbitra...
CVE-2026-32056
OpenClaw versions prior to 2026.2.22 fail to sanitize shell startup environment variables HOME and ZDOTDIR in the system.run function, allowing attackers to bypass command allowlist protections. Remote attackers can inject malicious startup files such as .bashprofile or .zshenv to achieve arbitra...
CVE-2026-32056
OpenClaw versions prior to 2026.2.22 fail to sanitize shell startup environment variables HOME and ZDOTDIR in the system.run function, allowing attackers to bypass command allowlist protections. Remote attackers can inject malicious startup files such as .bashprofile or .zshenv to achieve arbitra...
CVE-2026-32056 OpenClaw < 2026.2.22 - Remote Code Execution via Shell Startup Environment Variable Injection in system.run
OpenClaw versions prior to 2026.2.22 fail to sanitize shell startup environment variables HOME and ZDOTDIR in the system.run function, allowing attackers to bypass command allowlist protections. Remote attackers can inject malicious startup files such as .bashprofile or .zshenv to achieve arbitra...
CVE-2026-32056 OpenClaw < 2026.2.22 - Remote Code Execution via Shell Startup Environment Variable Injection in system.run
OpenClaw versions prior to 2026.2.22 fail to sanitize shell startup environment variables HOME and ZDOTDIR in the system.run function, allowing attackers to bypass command allowlist protections. Remote attackers can inject malicious startup files such as .bashprofile or .zshenv to achieve arbitra...
CVE-2026-32056
OpenClaw prior to version 2026.2.22 is vulnerable to remote code execution via shell startup environment variable injection in system.run. The root cause is failure to sanitize HOME and ZDOTDIR, allowing an attacker to place startup files (e.g., .bash_profile or .zshenv) that are read before allo...
OpenClaw 操作系统命令注入漏洞
OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from an operating system command injection vulnerability. The vulnerability is caused by failing to filter the shell startup environment variables HOME and ZDOTDIR in the system.run function. An attacker ca...
PT-2026-26738
OpenClaw versions prior to 2026.2.22 fail to sanitize shell startup environment variables HOME and ZDOTDIR in the system.run function, allowing attackers to bypass command allowlist protections. Remote attackers can inject malicious startup files such as .bash profile or .zshenv to achieve...
OpenClaw's shell startup env injection bypasses system.run allowlist intent (RCE class)
Summary system.run environment sanitization allowed shell-startup env overrides HOME, ZDOTDIR that can execute attacker-controlled startup files before allowlist-evaluated command bodies. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.2.22 Technical Details In affected...
OpenClaw shell-env fallback trusted startup env and could execute attacker-influenced login-shell paths
Summary OpenClaw shell-env fallback trusted startup environment values and could execute attacker-influenced login-shell startup paths before loading env keys. Affected Packages / Versions - Package: openclaw npm - Affected versions: = 2026.1.5 and = 2026.2.21-2 - Fixed on main:...