Description
OpenClaw (formerly Clawdbot) is a personal AI assistant you run on your own devices. Prior to 2026.1.29, a command injection vulnerability existed in OpenClaw’s Docker sandbox execution mechanism due to unsafe handling of the PATH environment variable when constructing shell commands. An authenticated user able to control environment variables could influence command execution within the container context. This vulnerability is fixed in 2026.1.29.
Published: 2026-02-02
Score: 8.8 High
EPSS: 4.8% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A command injection flaw exists in OpenClaw’s Docker sandbox execution. The vulnerability arises from unsafe concatenation of the PATH environment variable into shell commands used inside the container. When an authenticated user can control environment variables, they may cause the container to run arbitrary shell commands. This flaw is a classic system‑level code execution vulnerability (CWE‑78).

Affected Systems

OpenClaw (formerly Clawdbot) prior to version 2026.1.29 is affected. The issue is present in all installations that use the vulnerable Docker execution mechanism before the released fix. The official vendor identifiers indicate the product is managed by clawdbot:clawdbot.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity. The EPSS score of 5% indicates a low probability of active exploitation, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated access that allows the attacker to inject environment variables. The advisory does not state that host privileges are required; however, based on typical container behavior, it can be inferred that if the container runs with elevated privileges, the attacker could potentially affect the host, but this inference is not explicitly confirmed by the vendor.

Generated by OpenCVE AI on June 18, 2026 at 05:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.1.29 or later to apply the vendor‑provided fix.
  • Review and modify OpenClaw’s Docker configuration to remove the ability for authenticated users to set arbitrary PATH values, ensuring the PATH inside the container is hard‑coded or sanitized.
  • Run the OpenClaw container with the minimal required privileges and restrict host access, so that even if a command is injected, the attacker cannot affect the host system.

Generated by OpenCVE AI on June 18, 2026 at 05:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mc68-q9jw-2h3v OpenClaw/Clawdbot Docker Execution has Authenticated Command Injection via PATH Environment Variable
History

Fri, 13 Feb 2026 14:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*

Wed, 04 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Openclaw
Openclaw openclaw
Vendors & Products Openclaw
Openclaw openclaw

Mon, 02 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Description OpenClaw (formerly Clawdbot) is a personal AI assistant you run on your own devices. Prior to 2026.1.29, a command injection vulnerability existed in OpenClaw’s Docker sandbox execution mechanism due to unsafe handling of the PATH environment variable when constructing shell commands. An authenticated user able to control environment variables could influence command execution within the container context. This vulnerability is fixed in 2026.1.29.
Title Authenticated Command Injection in OpenClaw Docker Execution via PATH Environment Variable
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-04T16:53:56.345Z

Reserved: 2026-01-26T21:06:47.867Z

Link: CVE-2026-24763

cve-icon Vulnrichment

Updated: 2026-02-04T15:54:32.737Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-02T23:16:08.593

Modified: 2026-06-17T10:23:33.050

Link: CVE-2026-24763

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T05:30:15Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')