Command Injection Affecting openclaw package, versions <2026.2.21
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-OPENCLAW-15373840
- published4 Mar 2026
- disclosed3 Mar 2026
- credittdjackey
Introduced: 3 Mar 2026
New CVE NOT AVAILABLE CWE-15 (opens in a new tab)Common Weakness Enumeration (CWE) is a category system for software weaknesses
Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade openclaw to version 2026.2.21 or higher.
Overview
openclaw is a 🦞 OpenClaw — Personal AI Assistant
Affected versions of this package are vulnerable to Command Injection via the process when attacker-controlled environment variables are admitted and inherited by host command execution paths. An attacker can execute arbitrary commands by injecting malicious values into environment variables that are processed during shell command execution. This is only exploitable if the attacker has local or privileged influence over configuration or environment inputs.