cbcvebase.
CVE-2026-32056
published 2026-03-21

CVE-2026-32056: OpenClaw versions prior to 2026.2.22 fail to sanitize shell startup environment variables HOME and ZDOTDIR in the system.run function, allowing attackers to…

PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.56%
42.3th percentile
OpenClaw versions prior to 2026.2.22 fail to sanitize shell startup environment variables HOME and ZDOTDIR in the system.run function, allowing attackers to bypass command allowlist protections. Remote attackers can inject malicious startup files such as .bash_profile or .zshenv to achieve arbitrary code execution before allowlist-evaluated commands are executed.

Affected

2 ranges
VendorProductVersion rangeFixed in
openclawopenclaw< 2026.2.222026.2.22
openclawopenclaw>= 0 < 2026.2.222026.2.22

Detection & IOCsextracted from sources · hover to see the quote

filename.bash_profile
filename.zshenv
  • Monitor for attacker-controlled values in the HOME or ZDOTDIR environment variables passed to shell processes spawned by OpenClaw's system.run function, which can redirect shell startup file loading to attacker-controlled paths.
  • Alert on shell startup files (.bash_profile, .zshenv) being written to or read from unexpected or attacker-controlled directories, particularly in the context of OpenClaw (openclaw) process execution.
  • Detect code execution occurring prior to allowlist-evaluated commands in OpenClaw's system.run function, which may indicate exploitation via poisoned shell startup environment variables.
  • ·The vulnerability affects OpenClaw versions prior to 2026.2.22; ensure the patched version is deployed to remediate the unsanitized HOME and ZDOTDIR handling in system.run.
  • ·The command allowlist protection in OpenClaw's system.run can be fully bypassed via this vulnerability, meaning allowlist-based defenses alone are insufficient on unpatched versions.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.7HIGHCVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.