Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
OpenClaw versions from 2026.2.22 before 2026.4.12 contain an insufficient shell-wrapper detection vulnerability allowing attackers to inject environment variable assignments at the argv level. Attackers can bypass exec preflight handling to manipulate high-risk shell variables like SHELLOPTS and PS4, affecting execution semantics and security controls.
AnalysisAI
Remote attackers with low-privilege authentication can inject environment variable assignments into OpenClaw 2026.2.22 through 2026.4.11 to bypass shell wrapper detection mechanisms. By manipulating critical shell variables like SHELLOPTS and PS4 at the argv level, attackers achieve high-impact code execution that circumvents security controls. Vendor-released patch available in version 2026.4.12. No active exploitation confirmed (not in CISA KEV), but VulnCheck disclosed this vulnerability with specific technical details and a GitHub commit fix.
Technical ContextAI
This vulnerability exploits insufficient input validation in OpenClaw's shell wrapper detection logic (CWE-184: Incomplete List of Disallowed Inputs). The application fails to properly sanitize command-line arguments (argv) before execution, allowing injection of environment variable assignments. Critical shell variables like SHELLOPTS (controls shell options including debug tracing) and PS4 (defines the prompt for execution trace) can be manipulated to alter execution flow and disable security mechanisms. The CPE identifier (cpe:2.3:a:openclaw:openclaw) indicates this is a core vulnerability in the OpenClaw application framework itself, affecting how it interfaces with shell environments during command execution or subprocess spawning.
RemediationAI
Upgrade to OpenClaw version 2026.4.12 or later, which contains the fix implemented in commit 8f8492d172f4c5b4fd7dd9a47855ed620c8770ab (https://github.com/openclaw/openclaw/commit/8f8492d172f4c5b4fd7dd9a47855ed620c8770ab). If immediate patching is not feasible, implement strict input validation on all user-controllable data passed to shell execution contexts, specifically blocking argv entries containing '=' characters that could represent environment variable assignments. Alternatively, restrict authenticated user privileges to minimize exposure, though this reduces functionality and does not eliminate the vulnerability. Review audit logs for suspicious SHELLOPTS or PS4 variable usage patterns, particularly trace mode activation or unexpected shell option modifications.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same weakness CWE-184 – Incomplete List of Disallowed Inputs
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27253