CVE-2026-22177

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.21 OpenClaw versions 2026.2.19 and earlier

Description OpenClaw fails to filter dangerous process-control environment variables from configuration environment variables, allowing for startup-time code execution. Attackers can inject variables such as NODE OPTIONS or LD * through configuration to execute arbitrary code within the OpenClaw gateway service runtime context. The issue stems from the collectConfigEnvVars() function accepting unfiltered keys from configuration, which are then merged into the daemon install environment via buildGatewayInstallPlan(). Prior to the fix, startup-control variables were not blocked in this process.

Recommendations OpenClaw versions prior to 2026.2.21 should be updated to version 2026.2.21 or later.