CVE-2026-29610 Overview
OpenClaw versions prior to 2026.2.14 contain a command hijacking vulnerability (CWE-427) that allows attackers to execute unintended binaries by manipulating PATH environment variables through node-host execution or project-local bootstrapping. Attackers with authenticated access to node-host execution surfaces or those running OpenClaw in attacker-controlled directories can place malicious executables in PATH to override allowlisted safe-bin commands and achieve arbitrary command execution.
Critical Impact
Authenticated attackers can hijack command execution by manipulating the PATH environment variable, potentially leading to full system compromise through arbitrary code execution in the context of the OpenClaw application.
Affected Products
- OpenClaw versions prior to 2026.2.14
Discovery Timeline
- 2026-03-05 - CVE CVE-2026-29610 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2026-29610
Vulnerability Analysis
This vulnerability stems from insufficient validation and sanitization of the PATH environment variable within OpenClaw's node-host execution and bootstrapping mechanisms. The core issue lies in how the application handles environment variable overrides during command spawning, allowing authenticated users to inject malicious paths that take precedence over legitimate system binaries.
The vulnerable code permitted request-scoped PATH overrides from agents and gateways, which fundamentally breaks the security boundary around command resolution and safe-bin checks. When OpenClaw executes allowlisted commands, it resolves binaries using the PATH environment variable. If an attacker can prepend or modify PATH entries, they can place a malicious executable with the same name as an allowlisted command in a directory they control, causing OpenClaw to execute the attacker's binary instead.
The attack requires authenticated access to node-host execution surfaces or the ability to run OpenClaw within an attacker-controlled directory structure. This makes the vulnerability particularly dangerous in multi-tenant environments or scenarios where OpenClaw processes untrusted project directories.
Root Cause
The root cause is improper handling of the PATH environment variable in the sanitizeEnv() function within src/node-host/invoke.ts. The original implementation attempted to validate PATH modifications but contained logic that still allowed arbitrary PATH values to be merged with the process environment. The PATH variable is a critical security boundary for command resolution and safe-bin checks, and the original code failed to recognize that any request-scoped PATH override poses a security risk.
Attack Vector
The attack leverages network-accessible node-host execution surfaces with low attack complexity but requires authenticated access. An attacker can exploit this vulnerability through two primary vectors:
- Node-Host Execution: An authenticated attacker sends requests to the node-host execution interface with crafted environment variable overrides that manipulate the PATH
- Project-Local Bootstrapping: An attacker places malicious executables in a controlled directory and runs OpenClaw from that context, causing the application to resolve commands to attacker-controlled binaries
The following patch demonstrates the security fix that hardens PATH handling by completely blocking request-scoped PATH overrides:
return value === "off" || value === "on-miss" || value === "always" ? value : "on-miss";
}
-function sanitizeEnv(
+export function sanitizeEnv(
overrides?: Record<string, string> | null,
): Record<string, string> | undefined {
if (!overrides) {
return undefined;
}
const merged = { ...process.env } as Record<string, string>;
- const basePath = process.env.PATH ?? DEFAULT_NODE_PATH;
for (const [rawKey, value] of Object.entries(overrides)) {
const key = rawKey.trim();
if (!key) {
continue;
}
const upper = key.toUpperCase();
+ // PATH is part of the security boundary (command resolution + safe-bin checks). Never allow
+ // request-scoped PATH overrides from agents/gateways.
if (upper === "PATH") {
- const trimmed = value.trim();
- if (!trimmed) {
- continue;
- }
- if (!basePath || trimmed === basePath) {
- merged[key] = trimmed;
- continue;
- }
- const suffix = `${path.delimiter}${basePath}`;
Source: GitHub Commit Change
The fix explicitly recognizes PATH as a security boundary and completely removes the ability for agents or gateways to override it, rather than attempting to validate or sanitize PATH modifications.
Detection Methods for CVE-2026-29610
Indicators of Compromise
- Unexpected environment variable modifications in OpenClaw process logs, particularly PATH-related changes
- Execution of binaries from non-standard directories that shadow legitimate system commands
- Authentication events followed by unusual process spawning patterns within the OpenClaw context
- Presence of suspicious executables with names matching allowlisted safe-bin commands in user-writable directories
Detection Strategies
- Monitor OpenClaw node-host execution logs for requests containing environment variable overrides with PATH modifications
- Implement file integrity monitoring on directories in the system PATH to detect unauthorized binary additions
- Deploy behavioral detection for process execution chains where OpenClaw spawns binaries from unexpected filesystem locations
- Audit authentication events to the node-host execution interface and correlate with subsequent process creation
Monitoring Recommendations
- Enable verbose logging for the OpenClaw sanitizeEnv() function to capture environment manipulation attempts
- Configure alerts for any process execution where the resolved binary path does not match expected system directories
- Monitor for creation of new executable files in directories that could be prepended to PATH during OpenClaw execution
- Review OpenClaw configuration for any exposure of node-host execution surfaces to untrusted networks
How to Mitigate CVE-2026-29610
Immediate Actions Required
- Upgrade OpenClaw to version 2026.2.14 or later immediately
- Audit all systems running OpenClaw for signs of compromise, particularly checking for malicious executables in PATH directories
- Review access controls on node-host execution surfaces and restrict to trusted authenticated users only
- Verify that OpenClaw is not running from untrusted or user-writable directories
Patch Information
The vulnerability has been addressed in OpenClaw version 2026.2.14. The security patch modifies the sanitizeEnv() function in src/node-host/invoke.ts and hardens exec PATH handling in src/acp/client.ts. The fix completely removes the ability for request-scoped PATH overrides from agents and gateways, treating PATH as an immutable security boundary.
Review the GitHub Security Advisory for complete details. The specific fix can be reviewed in commit 013e8f6b.
Workarounds
- Restrict network access to OpenClaw node-host execution interfaces using firewall rules until patching is complete
- Run OpenClaw from system-owned directories with restricted write permissions to prevent placement of malicious executables
- Implement strict file system permissions on all directories in the system PATH to prevent unauthorized binary additions
- Consider running OpenClaw in a containerized environment with a hardened, immutable PATH configuration
# Restrict OpenClaw to run from a secure directory with proper permissions
sudo mkdir -p /opt/openclaw
sudo chown root:root /opt/openclaw
sudo chmod 755 /opt/openclaw
# Ensure no user-writable directories precede system directories in PATH
export PATH=/usr/local/bin:/usr/bin:/bin
# Verify OpenClaw version
openclaw --version
# Expected output should show 2026.2.14 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
