Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-29610

CVE-2026-29610: OpenClaw Command Hijacking RCE Vulnerability

CVE-2026-29610 is a command hijacking vulnerability in OpenClaw that enables remote code execution by manipulating PATH variables. Attackers can execute malicious binaries through compromised directories. Learn about technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-29610 Overview

OpenClaw versions prior to 2026.2.14 contain a command hijacking vulnerability (CWE-427) that allows attackers to execute unintended binaries by manipulating PATH environment variables through node-host execution or project-local bootstrapping. Attackers with authenticated access to node-host execution surfaces or those running OpenClaw in attacker-controlled directories can place malicious executables in PATH to override allowlisted safe-bin commands and achieve arbitrary command execution.

Critical Impact

Authenticated attackers can hijack command execution by manipulating the PATH environment variable, potentially leading to full system compromise through arbitrary code execution in the context of the OpenClaw application.

Affected Products

  • OpenClaw versions prior to 2026.2.14

Discovery Timeline

  • 2026-03-05 - CVE CVE-2026-29610 published to NVD
  • 2026-03-05 - Last updated in NVD database

Technical Details for CVE-2026-29610

Vulnerability Analysis

This vulnerability stems from insufficient validation and sanitization of the PATH environment variable within OpenClaw's node-host execution and bootstrapping mechanisms. The core issue lies in how the application handles environment variable overrides during command spawning, allowing authenticated users to inject malicious paths that take precedence over legitimate system binaries.

The vulnerable code permitted request-scoped PATH overrides from agents and gateways, which fundamentally breaks the security boundary around command resolution and safe-bin checks. When OpenClaw executes allowlisted commands, it resolves binaries using the PATH environment variable. If an attacker can prepend or modify PATH entries, they can place a malicious executable with the same name as an allowlisted command in a directory they control, causing OpenClaw to execute the attacker's binary instead.

The attack requires authenticated access to node-host execution surfaces or the ability to run OpenClaw within an attacker-controlled directory structure. This makes the vulnerability particularly dangerous in multi-tenant environments or scenarios where OpenClaw processes untrusted project directories.

Root Cause

The root cause is improper handling of the PATH environment variable in the sanitizeEnv() function within src/node-host/invoke.ts. The original implementation attempted to validate PATH modifications but contained logic that still allowed arbitrary PATH values to be merged with the process environment. The PATH variable is a critical security boundary for command resolution and safe-bin checks, and the original code failed to recognize that any request-scoped PATH override poses a security risk.

Attack Vector

The attack leverages network-accessible node-host execution surfaces with low attack complexity but requires authenticated access. An attacker can exploit this vulnerability through two primary vectors:

  1. Node-Host Execution: An authenticated attacker sends requests to the node-host execution interface with crafted environment variable overrides that manipulate the PATH
  2. Project-Local Bootstrapping: An attacker places malicious executables in a controlled directory and runs OpenClaw from that context, causing the application to resolve commands to attacker-controlled binaries

The following patch demonstrates the security fix that hardens PATH handling by completely blocking request-scoped PATH overrides:

typescript
   return value === "off" || value === "on-miss" || value === "always" ? value : "on-miss";
 }
 
-function sanitizeEnv(
+export function sanitizeEnv(
   overrides?: Record<string, string> | null,
 ): Record<string, string> | undefined {
   if (!overrides) {
     return undefined;
   }
   const merged = { ...process.env } as Record<string, string>;
-  const basePath = process.env.PATH ?? DEFAULT_NODE_PATH;
   for (const [rawKey, value] of Object.entries(overrides)) {
     const key = rawKey.trim();
     if (!key) {
       continue;
     }
     const upper = key.toUpperCase();
+    // PATH is part of the security boundary (command resolution + safe-bin checks). Never allow
+    // request-scoped PATH overrides from agents/gateways.
     if (upper === "PATH") {
-      const trimmed = value.trim();
-      if (!trimmed) {
-        continue;
-      }
-      if (!basePath || trimmed === basePath) {
-        merged[key] = trimmed;
-        continue;
-      }
-      const suffix = `${path.delimiter}${basePath}`;

Source: GitHub Commit Change

The fix explicitly recognizes PATH as a security boundary and completely removes the ability for agents or gateways to override it, rather than attempting to validate or sanitize PATH modifications.

Detection Methods for CVE-2026-29610

Indicators of Compromise

  • Unexpected environment variable modifications in OpenClaw process logs, particularly PATH-related changes
  • Execution of binaries from non-standard directories that shadow legitimate system commands
  • Authentication events followed by unusual process spawning patterns within the OpenClaw context
  • Presence of suspicious executables with names matching allowlisted safe-bin commands in user-writable directories

Detection Strategies

  • Monitor OpenClaw node-host execution logs for requests containing environment variable overrides with PATH modifications
  • Implement file integrity monitoring on directories in the system PATH to detect unauthorized binary additions
  • Deploy behavioral detection for process execution chains where OpenClaw spawns binaries from unexpected filesystem locations
  • Audit authentication events to the node-host execution interface and correlate with subsequent process creation

Monitoring Recommendations

  • Enable verbose logging for the OpenClaw sanitizeEnv() function to capture environment manipulation attempts
  • Configure alerts for any process execution where the resolved binary path does not match expected system directories
  • Monitor for creation of new executable files in directories that could be prepended to PATH during OpenClaw execution
  • Review OpenClaw configuration for any exposure of node-host execution surfaces to untrusted networks

How to Mitigate CVE-2026-29610

Immediate Actions Required

  • Upgrade OpenClaw to version 2026.2.14 or later immediately
  • Audit all systems running OpenClaw for signs of compromise, particularly checking for malicious executables in PATH directories
  • Review access controls on node-host execution surfaces and restrict to trusted authenticated users only
  • Verify that OpenClaw is not running from untrusted or user-writable directories

Patch Information

The vulnerability has been addressed in OpenClaw version 2026.2.14. The security patch modifies the sanitizeEnv() function in src/node-host/invoke.ts and hardens exec PATH handling in src/acp/client.ts. The fix completely removes the ability for request-scoped PATH overrides from agents and gateways, treating PATH as an immutable security boundary.

Review the GitHub Security Advisory for complete details. The specific fix can be reviewed in commit 013e8f6b.

Workarounds

  • Restrict network access to OpenClaw node-host execution interfaces using firewall rules until patching is complete
  • Run OpenClaw from system-owned directories with restricted write permissions to prevent placement of malicious executables
  • Implement strict file system permissions on all directories in the system PATH to prevent unauthorized binary additions
  • Consider running OpenClaw in a containerized environment with a hardened, immutable PATH configuration
bash
# Restrict OpenClaw to run from a secure directory with proper permissions
sudo mkdir -p /opt/openclaw
sudo chown root:root /opt/openclaw
sudo chmod 755 /opt/openclaw

# Ensure no user-writable directories precede system directories in PATH
export PATH=/usr/local/bin:/usr/bin:/bin

# Verify OpenClaw version
openclaw --version
# Expected output should show 2026.2.14 or later

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.