CVE-2026-22177
Startup-Time Code Execution via Env Variable Injection in OpenClaw
Publication date: 2026-03-18
Last updated on: 2026-04-08
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.2.21 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-15 | One or more system settings or configuration elements can be externally controlled by a user. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22177 is a security vulnerability in OpenClaw versions prior to 2026.2.21 where dangerous process-control environment variables are not properly filtered from configuration environment variables.
This flaw allows attackers to inject environment variables such as NODE_OPTIONS or LD_* through configuration inputs, which are then merged into the OpenClaw gateway service runtime environment.
Because these variables influence shell startup behavior and dynamic library loading, attackers can exploit this to execute arbitrary code during the startup of the OpenClaw service.
The vulnerability is classified under CWE-15 (External Control of System or Configuration Setting) and was fixed by implementing centralized sanitization and blocking of dangerous environment variables across multiple components of OpenClaw.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with limited privileges to inject malicious environment variables into the OpenClaw gateway service.
As a result, the attacker can execute arbitrary code at startup time within the context of the OpenClaw process.
This can lead to unauthorized code execution, potentially compromising the system running OpenClaw, affecting the integrity and availability of the service.
The CVSS v4 base score of 6.9 indicates a moderate severity impact, with high impact on integrity and limited impact on availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves dangerous environment variables like NODE_OPTIONS or LD_* being injected through configuration environment variables into the OpenClaw gateway service runtime. Detection involves checking for the presence of these dangerous environment variables in the environment where OpenClaw runs.'}, {'type': 'paragraph', 'content': 'You can inspect the environment variables of the OpenClaw process or its configuration files to detect if any blocked or dangerous environment variables are set. Key environment variables to look for include: BASH_ENV, ENV, NODE_OPTIONS, NODE_PATH, PYTHONHOME, PYTHONPATH, PERL5LIB, PERL5OPT, RUBYLIB, RUBYOPT, GCONV_PATH, IFS, SSLKEYLOGFILE, and any variables starting with BASH_FUNC_, DYLD_, or LD_.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect these variables include:'}, {'type': 'list_item', 'content': 'On a running system, check environment variables of the OpenClaw process (replace <pid> with the actual process ID):'}, {'type': 'list_item', 'content': " - `cat /proc/<pid>/environ | tr '\\0' '\\n' | grep -E '^(BASH_ENV|ENV|NODE_OPTIONS|NODE_PATH|PYTHONHOME|PYTHONPATH|PERL5LIB|PERL5OPT|RUBYLIB|RUBYOPT|GCONV_PATH|IFS|SSLKEYLOGFILE|BASH_FUNC_|DYLD_|LD_)'`"}, {'type': 'list_item', 'content': 'Check configuration files or environment variable settings used to start OpenClaw for any of these variables.'}, {'type': 'list_item', 'content': 'Use shell commands to list environment variables and filter for dangerous ones before starting OpenClaw:'}, {'type': 'list_item', 'content': " - `env | grep -E '^(BASH_ENV|ENV|NODE_OPTIONS|NODE_PATH|PYTHONHOME|PYTHONPATH|PERL5LIB|PERL5OPT|RUBYLIB|RUBYOPT|GCONV_PATH|IFS|SSLKEYLOGFILE|BASH_FUNC_|DYLD_|LD_)'`"}] [1, 2, 3]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately upgrade OpenClaw to version 2026.2.21 or later, where the vulnerability has been fixed by blocking dangerous environment variables from configuration and runtime environments.
If upgrading is not immediately possible, manually sanitize and block dangerous environment variables such as NODE_OPTIONS, LD_*, DYLD_*, BASH_ENV, ENV, and others listed in the fix to prevent them from being injected into the OpenClaw runtime environment.
Ensure that configuration environment variables do not include any of the blocked keys or prefixes that could influence shell startup or dynamic library loading.
Review and restrict any skill environment overrides or other configuration inputs that might allow injection of unsafe environment variables.
Implement environment variable sanitization similar to the HostEnvSanitizer module introduced in the patch, which excludes blocked keys and prefixes and disallows overriding PATH in request-scoped environments.