DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-24763: OpenClaw Command Injection: When the PATH Leads to RCE

#security #cve #cybersecurity

OpenClaw Command Injection: When the PATH Leads to RCE

Vulnerability ID: CVE-2026-24763
CVSS Score: 8.8
Published: 2026-02-02

OpenClaw (formerly Clawdbot), a self-hosted AI assistant, contained a critical OS Command Injection vulnerability in its Docker sandbox implementation. By failing to properly sanitize user-supplied environment variables—specifically the 'PATH'—before interpolating them into a shell command string, the application allowed authenticated users to execute arbitrary commands inside the container. This effectively turns the AI assistant into a remote shell for any user with basic access permissions.

TL;DR

A command injection flaw in OpenClaw's Docker execution logic allowed attackers to inject malicious shell commands via the 'PATH' environment variable. This results in Remote Code Execution (RCE) within the Docker container.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-78 (OS Command Injection)
  • CVSS Score: 8.8 (High)
  • Attack Vector: Network (Authenticated)
  • Impact: Confidentiality, Integrity, Availability
  • Fix Commit: 771f23d36b95ec2204cc9a0054045f5d8439ea75
  • Vendor: OpenClaw

Affected Systems

  • OpenClaw (Self-hosted)
  • Clawdbot (Legacy name)
  • OpenClaw: < 2026.1.29 (Fixed in: 2026.1.29)

Code Analysis

Commit: 771f23d

Fix command injection by passing PATH via Docker env vars

- const pathExport = params.env.PATH ? `export PATH="${params.env.PATH}:$PATH"; ` : "";
+ if (hasCustomPath) args.push("-e", `CLAWDBOT_PREPEND_PATH=${params.env.PATH}`);
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Research Analysis: Proof of Concept involves setting PATH to include shell metacharacters like semicolons or command substitutions.

Mitigation Strategies

  • Input decoupling: Pass user data via environment variables, not string concatenation.
  • Upgrade OpenClaw to version 2026.1.29.
  • Restrict permissions for defining environment variables in the agent interface.

Remediation Steps:

  1. Stop the OpenClaw service.
  2. Pull the latest Docker image or update the source code to tag v2026.1.29.
  3. Verify the version in the dashboard.
  4. Monitor logs for failed command injection attempts (looking for semicolons or $ in PATH logs).

References

Read the full report for CVE-2026-24763 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)