PT-2026-25444 · Npm · Openclaw
Published
2026-03-03
·
Updated
2026-03-03
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Summary
OpenClaw allowed dangerous process-control environment variables from
env.vars (for example NODE OPTIONS, LD *, DYLD *) to flow into gateway service runtime environments, enabling startup-time code execution in the OpenClaw process context.Details
collectConfigEnvVars() accepted unfiltered keys from config and those values were merged into the daemon install environment in buildGatewayInstallPlan(). Before the fix, startup-control variables were not blocked in this path.Affected Packages / Versions
- Package:
openclaw(npm) - Latest published affected version:
2026.2.19-2(published February 19, 2026) - Affected range (structured):
<=2026.2.19-2 || =2026.2.19 - Patched version (pre-set for next release):
>= 2026.2.21
Fix Commit(s)
2cdbadee1f8fcaa93302d7debbfc529e19868ea4
Release Process Note
patched versions is pre-set to the planned next release (2026.2.21). Once that npm release is published, this advisory is ready to publish without further content edits.OpenClaw thanks @tdjackey for reporting.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openclaw