Description
OpenClaw versions prior to 2026.2.21 fail to filter dangerous process-control environment variables from config env.vars, allowing startup-time code execution. Attackers can inject variables like NODE_OPTIONS or LD_* through configuration to execute arbitrary code in the OpenClaw gateway service runtime context.
Published: 2026-03-18
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Code Execution via Environment Variable Injection
Action: Immediate Patch
AI Analysis

Impact

OpenClaw versions prior to 2026.2.21 allow dangerous process‑control environment variables to go through the configuration file env.vars without filtering. Attackers can inject variables such as NODE_OPTIONS or LD_* prefixes, which are processed by the Node.js runtime, thereby enabling arbitrary code execution at gateway service startup. The weakness is classified as CWE‑15 (Improper Control of Resource or Link).

Affected Systems

The affected product is OpenClaw:OpenClaw, all releases with a version number less than 2026.2.21. The vulnerability is triggered when an attacker can write to the env.vars configuration file, which is typically part of the OpenClaw gateway service running on Node.js.

Risk and Exploitability

The CVSS base score of 6.9 indicates a medium severity vulnerability. EPSS data is not available and the issue is not listed in CISA’s KEV catalog. Because exploitation requires write access to the env.vars file, the attack vector is inferred to be local or low‑privilege setting, but successful exploitation would allow an attacker to execute arbitrary code within the gateway service’s process context, giving full control over the service.

Generated by OpenCVE AI on March 18, 2026 at 04:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by updating OpenClaw to version 2026.2.21 or newer (see GitHub commit https://github.com/openclaw/openclaw/commit/2cdbadee1f8fcaa93302d7debbfc529e19868ea4).
  • Restrict write permissions on the config env.vars file so that only trusted administrators can modify it.
  • If upgrading immediately is not feasible, remove or sanitize dangerous variables such as NODE_OPTIONS and LD_* from the env.vars file.

Generated by OpenCVE AI on March 18, 2026 at 04:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8fmp-37rc-p5g7 OpenClaw's config env vars allowed startup env injection into service runtime
History

Wed, 08 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
References

Wed, 18 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
Description OpenClaw versions prior to 2026.2.21 fail to filter dangerous process-control environment variables from config env.vars, allowing startup-time code execution. Attackers can inject variables like NODE_OPTIONS or LD_* through configuration to execute arbitrary code in the OpenClaw gateway service runtime context.
Title OpenClaw < 2026.2.21 - Environment Variable Injection via Config env.vars
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-15
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-08T16:05:27.893Z

Reserved: 2026-01-06T16:47:17.181Z

Link: CVE-2026-22177

cve-icon Vulnrichment

Updated: 2026-03-18T19:48:35.532Z

cve-icon NVD

Status : Modified

Published: 2026-03-18T02:16:21.957

Modified: 2026-04-08T17:21:14.597

Link: CVE-2026-22177

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:53:41Z

Weaknesses