CVE-2026-35667
Improper Process Termination in OpenClaw Causes Data Corruption
Publication date: 2026-04-10
Last updated on: 2026-04-28
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.3.24 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-404 | The product does not release or incorrectly releases a resource before it is made available for re-use. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in OpenClaw versions before 2026.3.24. It is related to an incomplete fix for a previous issue (CVE-2026-27486). Specifically, the !stop chat command uses an unpatched function called killProcessTree from shell-utils.ts. This function sends a SIGKILL signal immediately to terminate processes without allowing a graceful shutdown via SIGTERM.
Because of this, attackers can exploit the !stop command to abruptly terminate processes, which can lead to data corruption, resource leaks, and the skipping of important security-sensitive cleanup operations.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing attackers to cause abrupt termination of processes through the !stop command. This can result in data corruption, meaning your data might become inconsistent or lost.
Additionally, resource leaks may occur, which can degrade system performance or stability over time.
Finally, security-sensitive cleanup operations may be skipped, potentially leaving your system in an insecure state or vulnerable to further exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability causes abrupt process termination that can lead to data corruption, resource leaks, and skipped security-sensitive cleanup operations.
Such issues may impact compliance with standards and regulations like GDPR and HIPAA, which require proper handling and protection of sensitive data, secure logging, and ensuring data integrity.
Because the vulnerability can cause incomplete cleanup of secrets and audit logs, it may increase the risk of non-compliance with these regulations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the !stop chat command in OpenClaw triggering an immediate SIGKILL signal to terminate processes without a graceful shutdown. Detection involves identifying if the vulnerable killProcessTree function from shell-utils.ts is being used.
You can check the OpenClaw version installed on your system to determine if it is vulnerable (versions prior to 2026.3.24 are affected).
- Run a command to check the OpenClaw version, for example: `openclaw --version` or check the package.json or installed npm package version.
- Inspect the source code or installed files to see if the !stop command handler imports killProcessTree from shell-utils.ts instead of the patched process/kill-tree.ts.
- Monitor process termination behavior when the !stop command is issued: if processes are killed immediately without a SIGTERM grace period, the system is likely vulnerable.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade OpenClaw to version 2026.3.24 or later, where the vulnerability is fixed by using the patched killProcessTree function that performs a graceful shutdown.
Until the upgrade can be applied, avoid using the !stop chat command or any functionality that triggers the vulnerable killProcessTree function.
Review and patch any custom scripts or automation that rely on the vulnerable !stop command to prevent abrupt process termination.
Monitor system logs and processes for signs of abrupt termination and data corruption to detect exploitation attempts.