CVE-2026-29610

HIGH SEVERITY

CVSS Score & Metrics

Base Score

7.8 / 10

Vector String

                                        CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H                                    

Vulnerability Description

OpenClaw versions prior to 2026.2.14 contain a command hijacking vulnerability that allows attackers to execute unintended binaries by manipulating PATH environment variables through node-host execution or project-local bootstrapping. Attackers with authenticated access to node-host execution surfaces or those running OpenClaw in attacker-controlled directories can place malicious executables in PATH to override allowlisted safe-bin commands and achieve arbitrary command execution.

Vulnerability Details

Published Date

March 05, 2026

Last Modified

March 11, 2026

CWE ID

CWE-427

Source

NVD

Vendor

OpenClaw

Product

OpenClaw

External References

https://github.com/openclaw/openclaw/commit/013e8f6b3be3333a229a066eef26a45fec47ffcc
https://github.com/openclaw/openclaw/security/advisories/GHSA-jqpq-mgvm-f9r6
https://www.vulncheck.com/advisories/openclaw-command-hijacking-via-unsafe-path-handling

CVE-2026-29610

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment