CVE-2026-29610

OpenClaw versions prior to 2026.2.14 contain a command hijacking vulnerability that allows attackers to execute unintended binaries by manipulating PATH environment variables through node-host execution or project-local bootstrapping. Attackers with authenticated access to node-host execution surfaces or those running OpenClaw in attacker-controlled directories can place malicious executables in PATH to override allowlisted safe-bin commands and achieve arbitrary command execution.

OpenClaw versions prior to 2026.2.14 contain a command hijacking vulnerability that allows attackers to execute unintended binaries by manipulating PATH environment variables through node-host execution or project-local bootstrapping. Attackers with authenticated access to node-host execution surfaces or those running OpenClaw in attacker-controlled directories can place malicious executables in PATH to override allowlisted safe-bin commands and achieve arbitrary command execution.

# Command hijacking via PATH handling **Discovered:** 2026-02-04 **Reporter:** @akhmittra ## Summary OpenClaw previously accepted untrusted PATH sources in limited situations. In affected versions, this could cause OpenClaw to resolve and execute an unintended binary ("command hijacking") when running host commands. This issue primarily matters when OpenClaw is relying on allowlist/safe-bin protections and expects `PATH` to be trustworthy. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected: `< 2026.2.14` - Patched: `>= 2026.2.14` (planned next release) ## What Is Required To Trigger This ### A) Node Host PATH override (remote command hijack) An attacker needs all of the following: - Authenticated/authorized access to an execution surface that can invoke node-host execution (for example, a compromised gateway or a caller that can issue `system.run`). - A node host connected and exposing `system.run`. - A configuration where allowlist/safe-bins are expected to restrict execution (this is not meaningful if full arbitrary exec is already allowed). - The ability to pass request-scoped environment overrides (specifically `PATH`) into `system.run`. - A way to place an attacker-controlled executable earlier in `PATH` (for example, a writable directory on the node host), with a name that matches an allowlisted/safe-bin command that OpenClaw will run. Notes: - OpenClaw deployments commonly require a gateway token/password (or equivalent transport authentication). This should not be treated as unauthenticated Internet RCE. - This scenario typically depends on **non-standard / misconfigured deployments** (for example, granting untrusted parties access to invoke node-host execution or otherwise exposing a privileged execution surface beyond the intended trust boundary). ### B) Project-local PATH bootstrapping (local command hijack) An attacker needs all of the following: - The victim runs OpenClaw from within an attacker-controlled working directory (for example, cloning and running inside a malicious repository). - That directory contains a `node_modules/.bin/openclaw` and additional attacker-controlled executables in the same directory. - OpenClaw subsequently executes a command by name (resolved via `PATH`) that matches one of those attacker-controlled executables. ## Fix - Project-local `node_modules/.bin` PATH bootstrapping is now **disabled by default**. If explicitly enabled, it is **append-only** (never prepended) via `OPENCLAW_ALLOW_PROJECT_LOCAL_BIN=1`. - Node Host now ignores request-scoped `PATH` overrides. ## Fix Commit(s) - 013e8f6b3be3333a229a066eef26a45fec47ffcc Thanks @akhmittra for reporting.

# Command hijacking via PATH handling **Discovered:** 2026-02-04 **Reporter:** @akhmittra ## Summary OpenClaw previously accepted untrusted PATH sources in limited situations. In affected versions, this could cause OpenClaw to resolve and execute an unintended binary ("command hijacking") when running host commands. This issue primarily matters when OpenClaw is relying on allowlist/safe-bin protections and expects `PATH` to be trustworthy. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected: `< 2026.2.14` - Patched: `>= 2026.2.14` (planned next release) ## What Is Required To Trigger This ### A) Node Host PATH override (remote command hijack) An attacker needs all of the following: - Authenticated/authorized access to an execution surface that can invoke node-host execution (for example, a compromised gateway or a caller that can issue `system.run`). - A node host connected and exposing `system.run`. - A configuration where allowlist/safe-bins are expected to restrict execution (this is not meaningful if full arbitrary exec is already allowed). - The ability to pass request-scoped environment overrides (specifically `PATH`) into `system.run`. - A way to place an attacker-controlled executable earlier in `PATH` (for example, a writable directory on the node host), with a name that matches an allowlisted/safe-bin command that OpenClaw will run. Notes: - OpenClaw deployments commonly require a gateway token/password (or equivalent transport authentication). This should not be treated as unauthenticated Internet RCE. - This scenario typically depends on **non-standard / misconfigured deployments** (for example, granting untrusted parties access to invoke node-host execution or otherwise exposing a privileged execution surface beyond the intended trust boundary). ### B) Project-local PATH bootstrapping (local command hijack) An attacker needs all of the following: - The victim runs OpenClaw from within an attacker-controlled working directory (for example, cloning and running inside a malicious repository). - That directory contains a `node_modules/.bin/openclaw` and additional attacker-controlled executables in the same directory. - OpenClaw subsequently executes a command by name (resolved via `PATH`) that matches one of those attacker-controlled executables. ## Fix - Project-local `node_modules/.bin` PATH bootstrapping is now **disabled by default**. If explicitly enabled, it is **append-only** (never prepended) via `OPENCLAW_ALLOW_PROJECT_LOCAL_BIN=1`. - Node Host now ignores request-scoped `PATH` overrides. ## Fix Commit(s) - 013e8f6b3be3333a229a066eef26a45fec47ffcc Thanks @akhmittra for reporting.

Versiones de OpenClaw anteriores a 2026.2.14 contienen una vulnerabilidad de secuestro de comandos que permite a los atacantes ejecutar binarios no deseados manipulando las variables de entorno PATH a través de la ejecución de node-host o el arranque local del proyecto. Los atacantes con acceso autenticado a las superficies de ejecución de node-host o aquellos que ejecutan OpenClaw en directorios controlados por el atacante pueden colocar ejecutables maliciosos en PATH para anular comandos safe-bin en lista blanca y lograr la ejecución arbitraria de comandos.