CVE-2026-29610
📋 TL;DR
OpenClaw versions before 2026.2.14 have a command hijacking vulnerability where attackers can manipulate PATH environment variables to execute malicious binaries instead of intended safe commands. This affects users running OpenClaw in untrusted directories or with authenticated access to node-host execution surfaces.
💻 Affected Systems
- OpenClaw
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with arbitrary command execution leading to data theft, ransomware deployment, or complete system takeover.
Likely Case
Privilege escalation leading to unauthorized access to sensitive data or system resources within the compromised environment.
If Mitigated
Limited impact with only user-level access and no sensitive data exposure if proper isolation and least privilege are implemented.
🎯 Exploit Status
Exploitation requires either authenticated access or ability to place files in directories where OpenClaw executes.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2026.2.14
Vendor Advisory: https://github.com/openclaw/openclaw/security/advisories/GHSA-jqpq-mgvm-f9r6
Restart Required: Yes
Instructions:
1. Update OpenClaw to version 2026.2.14 or later. 2. Restart all OpenClaw services and processes. 3. Verify the update was successful.
🔧 Temporary Workarounds
Restrict PATH environment
linuxSet PATH environment variable to only include trusted directories before executing OpenClaw
export PATH=/usr/bin:/bin:/usr/sbin:/sbin
Run in trusted directories only
allEnsure OpenClaw only runs in directories controlled by trusted administrators
🧯 If You Can't Patch
- Implement strict access controls to limit who can authenticate to node-host execution surfaces
- Run OpenClaw in isolated containers or VMs with restricted filesystem access
🔍 How to Verify
Check if Vulnerable:
Check OpenClaw version with 'openclaw --version' and compare to 2026.2.14Check Version:
openclaw --versionVerify Fix Applied:
Verify version is 2026.2.14 or later and test command execution with manipulated PATH📡 Detection & Monitoring
Log Indicators:
- Unexpected command execution from OpenClaw processes
- Process spawning from unusual directories in PATH
Network Indicators:
- Unusual outbound connections from OpenClaw processes
SIEM Query:
Process creation where parent process contains 'openclaw' and command line contains unusual binaries or paths