CVE-2026-27486
Improper Process Termination in OpenClaw CLI Risks Service Disruption
Publication date: 2026-02-21
Last updated on: 2026-02-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.2.14 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-283 | The product does not properly verify that a critical resource is owned by the proper entity. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27486 is a security vulnerability in the OpenClaw CLI process cleanup mechanism affecting versions 2026.2.13 and below. The issue occurs because the cleanup process uses system-wide process enumeration and pattern matching to terminate processes without verifying if those processes are owned by the current OpenClaw process.
This lack of ownership verification means that on shared hosts, unrelated processes that match the command-line pattern can be mistakenly terminated. Essentially, the CLI runner cleanup helpers can kill processes that are not children of the current OpenClaw process, leading to unintended process termination.
The vulnerability is classified under CWE-283 (Unverified Ownership). It was fixed in version 2026.2.14 by restricting cleanup to only child processes owned by the current process, improving process matching accuracy, and implementing a two-stage termination approach (graceful then forceful).
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability can cause unintended termination of unrelated processes on shared or multi-tenant hosts if those processes match the command-line patterns used by OpenClaw's cleanup mechanism."}, {'type': 'paragraph', 'content': "Such unintended process termination could disrupt other users' applications or services running on the same host, potentially leading to data loss, service outages, or degraded system stability."}, {'type': 'paragraph', 'content': 'Because the cleanup does not verify process ownership before killing, critical or unrelated processes might be terminated, which could impact system reliability and user trust.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves the OpenClaw CLI process cleanup mechanism improperly terminating unrelated processes by matching command-line patterns without verifying ownership. To detect if this vulnerability is present, you can check the version of the OpenClaw CLI installed on your system. Versions 2026.2.13 and below are vulnerable, while 2026.2.14 and above contain the fix.'}, {'type': 'paragraph', 'content': 'To investigate if unintended processes are being terminated, you can manually list processes with full command lines and parent process IDs to see if any processes matching OpenClaw patterns are running and whether they are children of the OpenClaw process.'}, {'type': 'paragraph', 'content': 'Suggested commands to inspect processes include:'}, {'type': 'list_item', 'content': 'ps -axww -o pid=,ppid=,command= # Lists all processes with PID, PPID, and full command line without truncation'}, {'type': 'list_item', 'content': "grep commands matching OpenClaw patterns, for example: ps -axww -o pid=,ppid=,command= | grep 'codex exec resume' # To find processes related to OpenClaw CLI sessions"}, {'type': 'paragraph', 'content': 'By examining the PPID field, you can verify if processes matching OpenClaw patterns are children of the OpenClaw process or unrelated processes that might be at risk of being terminated incorrectly.'}] [1, 2, 3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary mitigation step is to upgrade the OpenClaw CLI to version 2026.2.14 or later, where the vulnerability has been fixed.'}, {'type': 'paragraph', 'content': 'The fix restricts process cleanup operations to only terminate child processes owned by the current OpenClaw process, preventing unintended termination of unrelated processes on shared hosts.'}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, consider the following temporary measures:'}, {'type': 'list_item', 'content': 'Manually monitor and control OpenClaw CLI processes to avoid running cleanup commands that might kill unrelated processes.'}, {'type': 'list_item', 'content': "Avoid running OpenClaw CLI cleanup commands on shared hosts where multiple users' processes might match the cleanup patterns."}, {'type': 'list_item', 'content': 'Implement process monitoring scripts that verify process ownership before termination, mimicking the filtering logic introduced in the fix.'}, {'type': 'paragraph', 'content': 'Ultimately, upgrading to the fixed version is the recommended and most effective mitigation.'}] [1, 2, 3]