Skip to content

OpenClaw: Command hijacking via unsafe PATH handling (bootstrapping + node-host PATH overrides)

High severity GitHub Reviewed Published Feb 15, 2026 in openclaw/openclaw • Updated Feb 18, 2026

Package

npm openclaw (npm)

Affected versions

< 2026.2.14

Patched versions

2026.2.14

Description

Command hijacking via PATH handling

Discovered: 2026-02-04
Reporter: @akhmittra

Summary

OpenClaw previously accepted untrusted PATH sources in limited situations. In affected versions, this could cause OpenClaw to resolve and execute an unintended binary ("command hijacking") when running host commands.

This issue primarily matters when OpenClaw is relying on allowlist/safe-bin protections and expects PATH to be trustworthy.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected: < 2026.2.14
  • Patched: >= 2026.2.14 (planned next release)

What Is Required To Trigger This

A) Node Host PATH override (remote command hijack)

An attacker needs all of the following:

  • Authenticated/authorized access to an execution surface that can invoke node-host execution (for example, a compromised gateway or a caller that can issue system.run).
  • A node host connected and exposing system.run.
  • A configuration where allowlist/safe-bins are expected to restrict execution (this is not meaningful if full arbitrary exec is already allowed).
  • The ability to pass request-scoped environment overrides (specifically PATH) into system.run.
  • A way to place an attacker-controlled executable earlier in PATH (for example, a writable directory on the node host), with a name that matches an allowlisted/safe-bin command that OpenClaw will run.

Notes:

  • OpenClaw deployments commonly require a gateway token/password (or equivalent transport authentication). This should not be treated as unauthenticated Internet RCE.
  • This scenario typically depends on non-standard / misconfigured deployments (for example, granting untrusted parties access to invoke node-host execution or otherwise exposing a privileged execution surface beyond the intended trust boundary).

B) Project-local PATH bootstrapping (local command hijack)

An attacker needs all of the following:

  • The victim runs OpenClaw from within an attacker-controlled working directory (for example, cloning and running inside a malicious repository).
  • That directory contains a node_modules/.bin/openclaw and additional attacker-controlled executables in the same directory.
  • OpenClaw subsequently executes a command by name (resolved via PATH) that matches one of those attacker-controlled executables.

Fix

  • Project-local node_modules/.bin PATH bootstrapping is now disabled by default. If explicitly enabled, it is append-only (never prepended) via OPENCLAW_ALLOW_PROJECT_LOCAL_BIN=1.
  • Node Host now ignores request-scoped PATH overrides.

Fix Commit(s)

  • 013e8f6b3be3333a229a066eef26a45fec47ffcc

Thanks @akhmittra for reporting.

References

@steipete steipete published to openclaw/openclaw Feb 15, 2026
Published to the GitHub Advisory Database Feb 18, 2026
Reviewed Feb 18, 2026
Last updated Feb 18, 2026

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS score

Weaknesses

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. Learn more on MITRE.

Uncontrolled Search Path Element

The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors. Learn more on MITRE.

Reliance on Untrusted Inputs in a Security Decision

The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism. Learn more on MITRE.

CVE ID

No known CVE

GHSA ID

GHSA-jqpq-mgvm-f9r6

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.