High severityOSV Advisory· Published Feb 2, 2026· Updated Feb 4, 2026
Authenticated Command Injection in OpenClaw Docker Execution via PATH Environment Variable
CVE-2026-24763
Description
OpenClaw (formerly Clawdbot) is a personal AI assistant you run on your own devices. Prior to 2026.1.29, a command injection vulnerability existed in OpenClaw’s Docker sandbox execution mechanism due to unsafe handling of the PATH environment variable when constructing shell commands. An authenticated user able to control environment variables could influence command execution within the container context. This vulnerability is fixed in 2026.1.29.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
clawdbotnpm | < 2026.1.29 | 2026.1.29 |
Affected products
1Patches
1771f23d36b95fix(exec): prevent PATH injection in docker sandbox
3 files changed · +33 −4
docs/tools/exec.md+2 −1 modified@@ -67,7 +67,8 @@ Example: - macOS: `/opt/homebrew/bin`, `/usr/local/bin`, `/usr/bin`, `/bin` - Linux: `/usr/local/bin`, `/usr/bin`, `/bin` - `host=sandbox`: runs `sh -lc` (login shell) inside the container, so `/etc/profile` may reset `PATH`. - Clawdbot prepends `env.PATH` after profile sourcing; `tools.exec.pathPrepend` applies here too. + Clawdbot prepends `env.PATH` after profile sourcing via an internal env var (no shell interpolation); + `tools.exec.pathPrepend` applies here too. - `host=node`: only env overrides you pass are sent to the node. `tools.exec.pathPrepend` only applies if the exec call already sets `env.PATH`. Headless node hosts accept `PATH` only when it prepends the node host PATH (no replacement). macOS nodes drop `PATH` overrides entirely.
src/agents/bash-tools.shared.ts+8 −1 modified@@ -60,11 +60,18 @@ export function buildDockerExecArgs(params: { for (const [key, value] of Object.entries(params.env)) { args.push("-e", `${key}=${value}`); } + const hasCustomPath = typeof params.env.PATH === "string" && params.env.PATH.length > 0; + if (hasCustomPath) { + // Avoid interpolating PATH into the shell command; pass it via env instead. + args.push("-e", `CLAWDBOT_PREPEND_PATH=${params.env.PATH}`); + } // Login shell (-l) sources /etc/profile which resets PATH to a minimal set, // overriding both Docker ENV and -e PATH=... environment variables. // Prepend custom PATH after profile sourcing to ensure custom tools are accessible // while preserving system paths that /etc/profile may have added. - const pathExport = params.env.PATH ? `export PATH="${params.env.PATH}:$PATH"; ` : ""; + const pathExport = hasCustomPath + ? 'export PATH="${CLAWDBOT_PREPEND_PATH}:$PATH"; unset CLAWDBOT_PREPEND_PATH; ' + : ""; args.push(params.containerName, "sh", "-lc", `${pathExport}${params.command}`); return args; }
src/agents/bash-tools.test.ts+23 −2 modified@@ -318,9 +318,30 @@ describe("buildDockerExecArgs", () => { }); const commandArg = args[args.length - 1]; - expect(commandArg).toContain('export PATH="/custom/bin:/usr/local/bin:/usr/bin:$PATH"'); + expect(args).toContain("CLAWDBOT_PREPEND_PATH=/custom/bin:/usr/local/bin:/usr/bin"); + expect(commandArg).toContain('export PATH="${CLAWDBOT_PREPEND_PATH}:$PATH"'); expect(commandArg).toContain("echo hello"); - expect(commandArg).toBe('export PATH="/custom/bin:/usr/local/bin:/usr/bin:$PATH"; echo hello'); + expect(commandArg).toBe( + 'export PATH="${CLAWDBOT_PREPEND_PATH}:$PATH"; unset CLAWDBOT_PREPEND_PATH; echo hello', + ); + }); + + it("does not interpolate PATH into the shell command", () => { + const injectedPath = "$(touch /tmp/clawdbot-path-injection)"; + const args = buildDockerExecArgs({ + containerName: "test-container", + command: "echo hello", + env: { + PATH: injectedPath, + HOME: "/home/user", + }, + tty: false, + }); + + const commandArg = args[args.length - 1]; + expect(args).toContain(`CLAWDBOT_PREPEND_PATH=${injectedPath}`); + expect(commandArg).not.toContain(injectedPath); + expect(commandArg).toContain("CLAWDBOT_PREPEND_PATH"); }); it("does not add PATH export when PATH is not in env", () => {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-mc68-q9jw-2h3vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-24763ghsaADVISORY
- github.com/clawdbot/clawdbot/security/advisories/GHSA-mc68-q9jw-2h3vghsaWEB
- github.com/openclaw/openclaw/commit/771f23d36b95ec2204cc9a0054045f5d8439ea75ghsax_refsource_MISCWEB
- github.com/openclaw/openclaw/releases/tag/v2026.1.29ghsax_refsource_MISCWEB
- github.com/openclaw/openclaw/security/advisories/GHSA-mc68-q9jw-2h3vghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.