OpenClaw Remote Code Execution Vulnerability via Environment Variable Injection
Vulnerability
A remote code execution vulnerability exists in OpenClaw versions prior to 2026.4.8. This issue arises from missing entries in the environment variable denylist, allowing attackers to inject malicious build tool environment variables that influence host execution commands, leading to arbitrary code execution.
Impact
Exploitation of this vulnerability allows for arbitrary code execution on the host system.
Reproduction
The vulnerability can be reproduced by injecting malicious environment variables related to build tools, such as HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS, into the execution environment. This can be done by configuring the environment variables before running OpenClaw, which will then process these variables during execution. The injected variables can be used to manipulate host execution commands, resulting in arbitrary code execution.
Remediation
Users can upgrade to OpenClaw version 2026.4.8 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.