OpenClaw versions prior to 2026.2.14 contain a command hijacking vulnerability that allows attackers to execute unintended binaries by manipulating PATH environment variables through node-host execution or project-local bootstrapping. Attackers with authenticated access to node-host execution surfaces or those running OpenClaw in attacker-controlled directories can place malicious executables in PATH to override allowlisted safe-bin commands and achieve arbitrary command execution.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
Present
Additional conditions required
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
High
Complete denial of service
CVSS Vector v4.0
Weakness Type (CWE)
References 3
https://github.com/openclaw/openclaw/commit/013e8f6b3be3333a229a066eef26a45fec4…
disclosure@vulncheck.com
https://github.com/openclaw/openclaw/security/advisories/GHSA-jqpq-mgvm-f9r6
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/openclaw-command-hijacking-via-unsafe-path…
disclosure@vulncheck.com