OpenClaw Environment Variable Override Handling Vulnerability Allowing Code Execution
Vulnerability
A vulnerability in OpenClaw versions prior to 2026.3.22 allows for improper handling of environment variable overrides. This issue can lead to bypassing the shared host environment policy, as attackers can exploit inconsistent sanitization processes. By introducing blocked or malformed override keys that evade validation, they can execute arbitrary code with unintended environment variables. The vulnerability arises from the application's failure to uniformly apply security measures to environment overrides, particularly in the gateway host execution context.
Impact
Exploitation of this vulnerability could result in unauthorized execution of code with manipulated environment variables, potentially leading to further system compromise.
Reproduction
The vulnerability can be reproduced by sending a request to a node host execution environment with blocked or malformed environment variable override keys. This can be done through the OpenClaw plugin system by specifying the 'env' parameter with the desired override keys. The 'CLASSPATH' key can be used as an example of a blocked override that should be rejected, but can be exploited by including it in the 'env' parameter.
Remediation
Users can update to OpenClaw version 2026.3.22 or later, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.