Description
OpenClaw (formerly Clawdbot) is a personal AI assistant you run on your own devices. Prior to 2026.1.29, a command injection vulnerability existed in OpenClaw’s Docker sandbox execution mechanism due to unsafe handling of the PATH environment variable when constructing shell commands. An authenticated user able to control environment variables could influence command execution within the container context. This vulnerability is fixed in 2026.1.29.
Published: 2026-02-02
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch
AI Analysis

Impact

A command injection flaw exists in OpenClaw’s Docker sandbox execution. The vulnerability arises from unsafe concatenation of the PATH environment variable into shell commands used inside the container. When an authenticated user can control environment variables, they may cause the container to run arbitrary shell commands. This flaw is a classic system‑level code execution vulnerability (CWE‑78).

Affected Systems

OpenClaw (formerly Clawdbot) prior to version 2026.1.29 is affected. The issue is present in all installations that use the vulnerable Docker execution mechanism before the released fix. The official vendor identifiers indicate the product is managed by clawdbot:clawdbot.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity. The EPSS score of less than 1% shows a low probability of active exploitation, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated access that allows the attacker to inject environment variables and is likely limited to users with administrative privileges on the host. While the risk to unprivileged users is minimal, an attacker who gains this capability can gain full control of the container and potentially the host if the container runs with elevated privileges.

Generated by OpenCVE AI on April 18, 2026 at 14:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.1.29 or later to apply the vendor‑provided fix.
  • Review and modify OpenClaw’s Docker configuration to remove the ability for authenticated users to set arbitrary PATH values, ensuring the PATH inside the container is hard‑coded or sanitized.
  • Run the OpenClaw container with the minimal required privileges and restrict host access, so that even if a command is injected, the attacker cannot affect the host system.

Generated by OpenCVE AI on April 18, 2026 at 14:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mc68-q9jw-2h3v OpenClaw/Clawdbot Docker Execution has Authenticated Command Injection via PATH Environment Variable
History

Fri, 13 Feb 2026 14:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*

Wed, 04 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Openclaw
Openclaw openclaw
Vendors & Products Openclaw
Openclaw openclaw

Mon, 02 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Description OpenClaw (formerly Clawdbot) is a personal AI assistant you run on your own devices. Prior to 2026.1.29, a command injection vulnerability existed in OpenClaw’s Docker sandbox execution mechanism due to unsafe handling of the PATH environment variable when constructing shell commands. An authenticated user able to control environment variables could influence command execution within the container context. This vulnerability is fixed in 2026.1.29.
Title Authenticated Command Injection in OpenClaw Docker Execution via PATH Environment Variable
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-04T16:53:56.345Z

Reserved: 2026-01-26T21:06:47.867Z

Link: CVE-2026-24763

cve-icon Vulnrichment

Updated: 2026-02-04T15:54:32.737Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-02T23:16:08.593

Modified: 2026-02-13T14:28:51.560

Link: CVE-2026-24763

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T14:30:02Z

Weaknesses