CVE-2026-22177

CVSS v3.1

6.1

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

OpenClaw versions prior to 2026.2.21 fail to filter dangerous process-control environment variables from config env.vars, allowing startup-time code execution. Attackers can inject variables like NODE OPTIONS or LD * through configuration to execute arbitrary code in the OpenClaw gateway service runtime context.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-15

Related Identifiers

CVE-2026-22177

Affected Products

Openclaw

CVE-2026-22177

Weakness Enumeration

Related Identifiers

Affected Products

References · 4