system.run environment sanitization allowed shell-startup env overrides (HOME, ZDOTDIR) that can execute attacker-controlled startup files before allowlist-evaluated command bodies.
openclaw (npm)<= 2026.2.21-2 (latest published vulnerable version)>= 2026.2.22In affected versions:
- Env sanitization blocked many dangerous keys, but not startup-sensitive override keys (HOME, ZDOTDIR) in host exec env paths.
- Shell-wrapper analysis for allowlist mode models command bodies, but not shell startup side effects.
- Runtime execution used sanitized env, so attacker-provided startup-key overrides could run hidden startup payloads first.
Observed exploit vectors:
- HOME + bash -lc + malicious .bash_profile
- ZDOTDIR + zsh -c + malicious .zshenv
c2c7114ed39a547ab6276e1e933029b9530ee906patched_versions is pre-set to the planned next release (>= 2026.2.22). After the npm release is published, this advisory can be published directly.
OpenClaw thanks @tdjackey for reporting.
| Score | Percentile |
|---|---|
| 0.14% | 34.66% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 7.5 | 3.1 | — |
|
| 7.7 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-xgf2-vxv2-rrmg ↗ |
| CVE | CVE-2026-32056 ↗ |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| npm | openclaw | < 2026.2.22 | 2026.2.22 | — |