OpenClaw versions prior to 2026.2.22 fail to sanitize shell startup environment variables HOME and ZDOTDIR in the system.run function,…
VulnCheck·CWE-78·Published 2026-03-03
OpenClaw versions prior to 2026.2.22 fail to sanitize shell startup environment variables HOME and ZDOTDIR in the system.run function, allowing attackers to bypass command allowlist protections. Remote attackers can inject malicious startup files such as .bash_profile or .zshenv to achieve arbitrary code execution before allowlist-evaluated commands are executed.
OpenClaw versions prior to 2026.2.22 fail to sanitize shell startup environment variables HOME and ZDOTDIR in the system.run function, allowing attackers to bypass command allowlist protections. Remote attackers can inject malicious startup files such as .bash_profile or .zshenv to achieve arbitrary code execution before allowlist-evaluated commands are executed.
### Summary `system.run` environment sanitization allowed shell-startup env overrides (`HOME`, `ZDOTDIR`) that can execute attacker-controlled startup files before allowlist-evaluated command bodies. ### Affected Packages / Versions - Package: `openclaw` (npm) - Affected: `<= 2026.2.21-2` (latest published vulnerable version) - Planned patched version: `>= 2026.2.22` ### Technical Details In affected versions: - Env sanitization blocked many dangerous keys, but not startup-sensitive override keys (`HOME`, `ZDOTDIR`) in host exec env paths. - Shell-wrapper analysis for allowlist mode models command bodies, but not shell startup side effects. - Runtime execution used sanitized env, so attacker-provided startup-key overrides could run hidden startup payloads first. Observed exploit vectors: - `HOME` + `bash -lc` + malicious `.bash_profile` - `ZDOTDIR` + `zsh -c` + malicious `.zshenv` ### Fix Commit(s) - `c2c7114ed39a547ab6276e1e933029b9530ee906` ### Release Process Note `patched_versions` is pre-set to the planned next release (`>= 2026.2.22`). After the npm release is published, this advisory can be published directly. OpenClaw thanks @tdjackey for reporting.
### Summary `system.run` environment sanitization allowed shell-startup env overrides (`HOME`, `ZDOTDIR`) that can execute attacker-controlled startup files before allowlist-evaluated command bodies. ### Affected Packages / Versions - Package: `openclaw` (npm) - Affected: `<= 2026.2.21-2` (latest published vulnerable version) - Planned patched version: `>= 2026.2.22` ### Technical Details In affected versions: - Env sanitization blocked many dangerous keys, but not startup-sensitive override keys (`HOME`, `ZDOTDIR`) in host exec env paths. - Shell-wrapper analysis for allowlist mode models command bodies, but not shell startup side effects. - Runtime execution used sanitized env, so attacker-provided startup-key overrides could run hidden startup payloads first. Observed exploit vectors: - `HOME` + `bash -lc` + malicious `.bash_profile` - `ZDOTDIR` + `zsh -c` + malicious `.zshenv` ### Fix Commit(s) - `c2c7114ed39a547ab6276e1e933029b9530ee906` ### Release Process Note `patched_versions` is pre-set to the planned next release (`>= 2026.2.22`). After the npm release is published, this advisory can be published directly. OpenClaw thanks @tdjackey for reporting.
Las versiones de OpenClaw anteriores a la 2026.2.22 no sanean las variables de entorno de inicio de shell HOME y ZDOTDIR en la función system.run, lo que permite a los atacantes eludir las protecciones de la lista de comandos permitidos. Los atacantes remotos pueden inyectar archivos de inicio maliciosos como .bash_profile o .zshenv para lograr ejecución de código arbitrario antes de que se ejecuten los comandos evaluados por la lista de permitidos.
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 3.1 | Primary | NVD | 9.8 | 3.9 | 5.9 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | Primary | cve.org | 7.5 | — | — | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | Secondary | GHSA | 7.5 | — | — | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | Secondary | NVD | 7.5 | 1.6 | 5.9 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
| 4.0 | Primary | cve.org | 7.7 | — | — | CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| 4.0 | Secondary | GHSA | 7.7 | — | — | CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| 4.0 | Secondary | NVD | 7.7 | — | — | CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |