CVE-2026-32056
Environment Variable Injection in OpenClaw Allows Remote Code Execution
Publication date: 2026-03-21
Last updated on: 2026-03-23
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.2.22 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32056 is a vulnerability in OpenClaw versions prior to 2026.2.22 where the system.run function fails to properly sanitize the shell startup environment variables HOME and ZDOTDIR.
Because these variables are not sanitized, attackers can manipulate them to point to malicious shell startup files such as .bash_profile or .zshenv. These files are executed before the allowlist-evaluated commands run, allowing attackers to bypass command allowlist protections and execute arbitrary code remotely.
The vulnerability arises because the shell-wrapperβs allowlist mode only models command bodies and does not account for side effects caused by shell startup scripts triggered by these environment variables.
How can this vulnerability impact me? :
This vulnerability can lead to remote code execution (RCE) on systems running vulnerable versions of OpenClaw.
An attacker can inject malicious shell startup files that execute arbitrary commands before the intended allowlist-evaluated commands, effectively bypassing security controls.
This can compromise the confidentiality, integrity, and availability of the affected system, potentially allowing attackers to take control, steal data, or disrupt services.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves injection through the HOME and ZDOTDIR environment variables that affect shell startup files such as .bash_profile or .zshenv. Detection involves checking if these environment variables are being overridden or if malicious startup files exist that could be executed.'}, {'type': 'list_item', 'content': 'Check for unexpected or suspicious .bash_profile or .zshenv files in user home directories that could be malicious.'}, {'type': 'list_item', 'content': 'Inspect environment variables HOME and ZDOTDIR in processes running system.run or related OpenClaw commands to see if they have been overridden.'}, {'type': 'list_item', 'content': "Use commands like `ps aux | grep openclaw` to identify running OpenClaw processes and then check their environment variables with `cat /proc/<pid>/environ | tr '\\0' '\\n' | grep -E 'HOME|ZDOTDIR'`."}, {'type': 'list_item', 'content': "Audit shell startup files for suspicious content, for example: `grep -r --include=.bash_profile --include=.zshenv 'malicious_command' /home/`."}] [2, 3]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade OpenClaw to version 2026.2.22 or later, where the vulnerability is fixed by properly sanitizing the HOME and ZDOTDIR environment variables to prevent override by untrusted inputs.
- Apply the patch that blocks overrides of HOME and ZDOTDIR environment variables as introduced in the fix commit c2c7114ed39a547ab6276e1e933029b9530ee906.
- Review and restrict permissions on shell startup files (.bash_profile, .zshenv) to prevent unauthorized modification.
- Implement monitoring to detect any attempts to override these environment variables or modify startup files.
- Consider restricting or auditing the use of system.run function or similar commands that execute shell commands with environment variables.