CVE-2026-22177

Summary

OpenClaw versions prior to 2026.2.21 fail to filter dangerous process-control environment variables from config env.vars, allowing startup-time code execution. Attackers can inject variables like NODE_OPTIONS or LD_* through configuration to execute arbitrary code in the OpenClaw gateway service runtime context.

Affected Software

VendorProductVersion RangeStatus
OpenClawOpenClaw0 < 2026.2.21affected
OpenClawOpenClaw2026.2.21unaffected

Weaknesses

  • CWE-15: CWE-15: External Control of System or Configuration Setting

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References