CVE-2026-42435 Overview
CVE-2026-42435 is a shell-wrapper detection bypass affecting OpenClaw versions from 2026.2.22 before 2026.4.12. The vulnerability allows attackers to inject environment variable assignments at the argv level, bypassing the exec preflight handling that filters dangerous variables. Successful exploitation lets attackers manipulate high-risk shell variables such as SHELLOPTS and PS4, altering execution semantics and undermining downstream security controls. The flaw is classified under [CWE-184: Incomplete List of Disallowed Inputs].
Critical Impact
Attackers with low privileges and network access can inject environment variables that modify shell execution behavior, leading to integrity, confidentiality, and availability impact across affected OpenClaw deployments.
Affected Products
- OpenClaw 2026.2.22 through versions before 2026.4.12
- Components handling env-style argv parsing in dispatch-wrapper-resolution.ts
- Host environment security layer in host-env-security.ts
Discovery Timeline
- 2026-05-05 - CVE-2026-42435 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-42435
Vulnerability Analysis
OpenClaw includes a preflight mechanism that inspects argument vectors passed to shell wrappers such as env, blocking dangerous environment keys before execution. The shell-wrapper detection logic in unwrapEnvInvocation does not fully recognize all forms of env-style invocations and treats only specific separator tokens and flag patterns as continuation signals. Attackers can craft an argv sequence that contains KEY=VALUE assignments which the detector fails to classify as environment overrides. As a result, the assignments propagate to the spawned process while bypassing the dangerous-key filter.
Once bypassed, attackers can set variables like SHELLOPTS, which controls Bash startup behavior, and PS4, which Bash expands when tracing is enabled. Manipulation of PS4 is a known technique for command execution under set -x, and SHELLOPTS can enable tracing or restricted modes that change downstream command semantics.
Root Cause
The root cause is an incomplete denylist within the shell-wrapper recognizer. The previous parser used a narrow set of separators and flag matchers, which allowed argv tokens shaped as environment assignments to slip past detection. Because the detector returned null, the host-env hardening that normally blocks dangerous keys was never applied to those assignments.
Attack Vector
Exploitation requires the ability to influence the argv passed to an OpenClaw dispatch wrapper. An attacker with low privileges can supply crafted argv tokens that include SHELLOPTS=xtrace or PS4=$(payload) at positions the parser does not classify as assignments. The injected variables persist into the executed shell context, enabling subversion of execution semantics and security controls.
// Source: https://github.com/openclaw/openclaw/commit/8f8492d172f4c5b4fd7dd9a47855ed620c8770ab
// Patched parser in src/infra/dispatch-wrapper-resolution.ts
export function unwrapEnvInvocation(argv: string[]): string[] | null {
const parsed = parseEnvInvocationPrelude(argv);
return parsed ? argv.slice(parsed.commandIndex) : null;
}
type ParsedEnvInvocationPrelude = {
assignmentKeys: string[];
commandIndex: number;
};
function parseEnvInvocationPrelude(argv: string[]): ParsedEnvInvocationPrelude | null {
let idx = 1;
let expectsOptionValue = false;
const assignmentKeys: string[] = [];
while (idx < argv.length) {
const token = argv[idx]?.trim() ?? "";
// ... structured parsing replaces narrow separator/flag heuristics
}
}
The patch replaces the narrow separator and flag heuristics with a structured prelude parser that records assignment keys and identifies the actual command boundary. See the GitHub Security Advisory GHSA-j6c7-3h5x-99g9 for additional context.
Detection Methods for CVE-2026-42435
Indicators of Compromise
- Process executions where argv to env or related wrappers contain SHELLOPTS=, PS4=, BASH_ENV=, or ENV= assignments.
- Child shells launched by OpenClaw with tracing enabled or with non-standard PS4 values containing command substitution syntax such as $(...) or backticks.
- Unexpected execution of OpenClaw dispatch wrappers running versions between 2026.2.22 and 2026.4.12.
Detection Strategies
- Inventory OpenClaw deployments and flag any instance not at version 2026.4.12 or later.
- Hunt process telemetry for argv strings matching dangerous environment key patterns delivered alongside env-style binaries.
- Correlate OpenClaw process launches with subsequent shell child processes that show evidence of xtrace behavior or anomalous command substitution.
Monitoring Recommendations
- Enable command-line and environment variable capture in endpoint telemetry to retain full argv for shell wrappers.
- Alert on any OpenClaw-spawned process whose environment includes keys present in the host dangerous-env list, including SHELLOPTS, PS4, BASH_ENV, LD_PRELOAD, and LD_LIBRARY_PATH.
- Track OpenClaw version strings in software inventory feeds to detect regressions or unmanaged installations.
How to Mitigate CVE-2026-42435
Immediate Actions Required
- Upgrade OpenClaw to version 2026.4.12 or later, which contains the patched parseEnvInvocationPrelude logic.
- Audit existing automation and CI/CD pipelines that invoke OpenClaw wrappers for argv constructed from untrusted input.
- Restrict who can submit argv to OpenClaw dispatch wrappers through standard authorization controls.
Patch Information
The fix is delivered in commit 8f8492d, which broadens shell-wrapper detection and blocks env-argv assignment injection. The patch introduces HOST_SHELL_WRAPPER_ALLOWED_OVERRIDE_ENV_PREFIX_VALUES to permit only safe prefixes such as LC_ while keeping the dangerous-env denylist authoritative. Additional details are available in the VulnCheck advisory.
Workarounds
- Sanitize argv passed to OpenClaw wrappers to strip tokens matching ^[A-Za-z_][A-Za-z0-9_]*= before invocation.
- Run OpenClaw under a constrained shell environment that resets SHELLOPTS, PS4, BASH_ENV, and ENV prior to execution.
- Disable or gate OpenClaw functionality exposed to low-privilege or network-reachable callers until patching is complete.
# Configuration example: reset high-risk shell variables before invoking OpenClaw
unset SHELLOPTS PS4 BASH_ENV ENV
export PS4='+ '
exec /usr/local/bin/openclaw "$@"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
