CVE-2026-32056
published 2026-03-21CVE-2026-32056: OpenClaw versions prior to 2026.2.22 fail to sanitize shell startup environment variables HOME and ZDOTDIR in the system.run function, allowing attackers to…
PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.56%
42.3th percentile
OpenClaw versions prior to 2026.2.22 fail to sanitize shell startup environment variables HOME and ZDOTDIR in the system.run function, allowing attackers to bypass command allowlist protections. Remote attackers can inject malicious startup files such as .bash_profile or .zshenv to achieve arbitrary code execution before allowlist-evaluated commands are executed.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| openclaw | openclaw | < 2026.2.22 | 2026.2.22 |
| openclaw | openclaw | >= 0 < 2026.2.22 | 2026.2.22 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for attacker-controlled values in the HOME or ZDOTDIR environment variables passed to shell processes spawned by OpenClaw's system.run function, which can redirect shell startup file loading to attacker-controlled paths. ↗
- →Alert on shell startup files (.bash_profile, .zshenv) being written to or read from unexpected or attacker-controlled directories, particularly in the context of OpenClaw (openclaw) process execution. ↗
- →Detect code execution occurring prior to allowlist-evaluated commands in OpenClaw's system.run function, which may indicate exploitation via poisoned shell startup environment variables. ↗
- ·The vulnerability affects OpenClaw versions prior to 2026.2.22; ensure the patched version is deployed to remediate the unsanitized HOME and ZDOTDIR handling in system.run. ↗
- ·The command allowlist protection in OpenClaw's system.run can be fully bypassed via this vulnerability, meaning allowlist-based defenses alone are insufficient on unpatched versions. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.7HIGHCVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
OpenClaw's shell startup env injection bypasses system.run allowlist intent (RCE class)
osv·2026-03-03
CVE-2026-32056 [HIGH] OpenClaw's shell startup env injection bypasses system.run allowlist intent (RCE class)
OpenClaw's shell startup env injection bypasses system.run allowlist intent (RCE class)
### Summary
`system.run` environment sanitization allowed shell-startup env overrides (`HOME`, `ZDOTDIR`) that can execute attacker-controlled startup files before allowlist-evaluated command bodies.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected: `= 2026.2.22`
### Technical Details
In affected versions:
- Env sanitization blocked many dangerous keys, but not startup-sensitive override keys (`HOME`, `ZDOTDIR`) in host exec env paths.
- Shell-wrapper analysis for allowlist mode models command bodies, but not shell startup side effects.
- Runtime execution used sanitized env, so attacker-provided startup-key overrides could run hidden startup payloads first.
Observed exploit v
GHSA
OpenClaw's shell startup env injection bypasses system.run allowlist intent (RCE class)
ghsa·2026-03-03
CVE-2026-32056 [HIGH] CWE-15 OpenClaw's shell startup env injection bypasses system.run allowlist intent (RCE class)
OpenClaw's shell startup env injection bypasses system.run allowlist intent (RCE class)
### Summary
`system.run` environment sanitization allowed shell-startup env overrides (`HOME`, `ZDOTDIR`) that can execute attacker-controlled startup files before allowlist-evaluated command bodies.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected: `= 2026.2.22`
### Technical Details
In affected versions:
- Env sanitization blocked many dangerous keys, but not startup-sensitive override keys (`HOME`, `ZDOTDIR`) in host exec env paths.
- Shell-wrapper analysis for allowlist mode models command bodies, but not shell startup side effects.
- Runtime execution used sanitized env, so attacker-provided startup-key overrides could run hidden startup payloads first.
Observed exploit v
No detection rules found.
No public exploits indexed.
2026-03-21
Published