GHSA-JQPQ-MGVM-F9R6

Vulnerability from github – Published: 2026-02-18 00:55 – Updated: 2026-03-06 01:04
VLAI?
Summary
OpenClaw: Command hijacking via unsafe PATH handling (bootstrapping + node-host PATH overrides)
Details

Command hijacking via PATH handling

Discovered: 2026-02-04 Reporter: @akhmittra

Summary

OpenClaw previously accepted untrusted PATH sources in limited situations. In affected versions, this could cause OpenClaw to resolve and execute an unintended binary ("command hijacking") when running host commands.

This issue primarily matters when OpenClaw is relying on allowlist/safe-bin protections and expects PATH to be trustworthy.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected: < 2026.2.14
  • Patched: >= 2026.2.14 (planned next release)

What Is Required To Trigger This

A) Node Host PATH override (remote command hijack)

An attacker needs all of the following:

  • Authenticated/authorized access to an execution surface that can invoke node-host execution (for example, a compromised gateway or a caller that can issue system.run).
  • A node host connected and exposing system.run.
  • A configuration where allowlist/safe-bins are expected to restrict execution (this is not meaningful if full arbitrary exec is already allowed).
  • The ability to pass request-scoped environment overrides (specifically PATH) into system.run.
  • A way to place an attacker-controlled executable earlier in PATH (for example, a writable directory on the node host), with a name that matches an allowlisted/safe-bin command that OpenClaw will run.

Notes:

  • OpenClaw deployments commonly require a gateway token/password (or equivalent transport authentication). This should not be treated as unauthenticated Internet RCE.
  • This scenario typically depends on non-standard / misconfigured deployments (for example, granting untrusted parties access to invoke node-host execution or otherwise exposing a privileged execution surface beyond the intended trust boundary).

B) Project-local PATH bootstrapping (local command hijack)

An attacker needs all of the following:

  • The victim runs OpenClaw from within an attacker-controlled working directory (for example, cloning and running inside a malicious repository).
  • That directory contains a node_modules/.bin/openclaw and additional attacker-controlled executables in the same directory.
  • OpenClaw subsequently executes a command by name (resolved via PATH) that matches one of those attacker-controlled executables.

Fix

  • Project-local node_modules/.bin PATH bootstrapping is now disabled by default. If explicitly enabled, it is append-only (never prepended) via OPENCLAW_ALLOW_PROJECT_LOCAL_BIN=1.
  • Node Host now ignores request-scoped PATH overrides.

Fix Commit(s)

  • 013e8f6b3be3333a229a066eef26a45fec47ffcc

Thanks @akhmittra for reporting.

Severity ?
8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.7 (High)
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.2.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-29610"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-427",
      "CWE-78",
      "CWE-807"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-18T00:55:50Z",
    "nvd_published_at": "2026-03-05T22:16:24Z",
    "severity": "HIGH"
  },
  "details": "# Command hijacking via PATH handling\n\n**Discovered:** 2026-02-04\n**Reporter:** @akhmittra\n\n## Summary\n\nOpenClaw previously accepted untrusted PATH sources in limited situations. In affected versions, this could cause OpenClaw to resolve and execute an unintended binary (\"command hijacking\") when running host commands.\n\nThis issue primarily matters when OpenClaw is relying on allowlist/safe-bin protections and expects `PATH` to be trustworthy.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected: `\u003c 2026.2.14`\n- Patched: `\u003e= 2026.2.14` (planned next release)\n\n## What Is Required To Trigger This\n\n### A) Node Host PATH override (remote command hijack)\n\nAn attacker needs all of the following:\n\n- Authenticated/authorized access to an execution surface that can invoke node-host execution (for example, a compromised gateway or a caller that can issue `system.run`).\n- A node host connected and exposing `system.run`.\n- A configuration where allowlist/safe-bins are expected to restrict execution (this is not meaningful if full arbitrary exec is already allowed).\n- The ability to pass request-scoped environment overrides (specifically `PATH`) into `system.run`.\n- A way to place an attacker-controlled executable earlier in `PATH` (for example, a writable directory on the node host), with a name that matches an allowlisted/safe-bin command that OpenClaw will run.\n\nNotes:\n\n- OpenClaw deployments commonly require a gateway token/password (or equivalent transport authentication). This should not be treated as unauthenticated Internet RCE.\n- This scenario typically depends on **non-standard / misconfigured deployments** (for example, granting untrusted parties access to invoke node-host execution or otherwise exposing a privileged execution surface beyond the intended trust boundary).\n\n### B) Project-local PATH bootstrapping (local command hijack)\n\nAn attacker needs all of the following:\n\n- The victim runs OpenClaw from within an attacker-controlled working directory (for example, cloning and running inside a malicious repository).\n- That directory contains a `node_modules/.bin/openclaw` and additional attacker-controlled executables in the same directory.\n- OpenClaw subsequently executes a command by name (resolved via `PATH`) that matches one of those attacker-controlled executables.\n\n## Fix\n\n- Project-local `node_modules/.bin` PATH bootstrapping is now **disabled by default**. If explicitly enabled, it is **append-only** (never prepended) via `OPENCLAW_ALLOW_PROJECT_LOCAL_BIN=1`.\n- Node Host now ignores request-scoped `PATH` overrides.\n\n## Fix Commit(s)\n\n- 013e8f6b3be3333a229a066eef26a45fec47ffcc\n\nThanks @akhmittra for reporting.",
  "id": "GHSA-jqpq-mgvm-f9r6",
  "modified": "2026-03-06T01:04:18Z",
  "published": "2026-02-18T00:55:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jqpq-mgvm-f9r6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29610"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/013e8f6b3be3333a229a066eef26a45fec47ffcc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-command-hijacking-via-unsafe-path-handling"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: Command hijacking via unsafe PATH handling (bootstrapping + node-host PATH overrides)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.