CVE-2026-32056
OpenClaw < 2026.2.22 - Remote Code Execution via Shell Startup Environment Variable Injection in system.run
CVSS Score
7.5
EPSS Score
0.2%
EPSS Percentile
36th
OpenClaw versions prior to 2026.2.22 fail to sanitize shell startup environment variables HOME and ZDOTDIR in the system.run function, allowing attackers to bypass command allowlist protections. Remote attackers can inject malicious startup files such as .bash_profile or .zshenv to achieve arbitrary code execution before allowlist-evaluated commands are executed.
| CWE | CWE-78 |
| Vendor | openclaw |
| Product | openclaw |
| Published | Mar 21, 2026 |
| Last Updated | Mar 23, 2026 |
Stay Ahead of the Next One
Get instant alerts for openclaw openclaw
Be the first to know when new high vulnerabilities affecting openclaw openclaw are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
OpenClaw / OpenClaw
0 < 2026.2.22
References
github.com: https://github.com/openclaw/openclaw/security/advisories/GHSA-xgf2-vxv2-rrmg github.com: https://github.com/openclaw/openclaw/commit/c2c7114ed39a547ab6276e1e933029b9530ee906 vulncheck.com: https://www.vulncheck.com/advisories/openclaw-remote-code-execution-via-shell-startup-environment-variable-injection-in-system-run
Credits
๐ tdjackey