CVE-2026-22217

Name of the Vulnerable Software and Affected Versions OpenClaw versions 2026.2.22 through 2026.2.22-2

Description OpenClaw contains an arbitrary code execution issue in the shell-env component. This allows attackers to execute attacker-controlled binaries by exploiting the trusted-prefix fallback logic for the $SHELL variable. An attacker can influence the $SHELL environment variable on systems with writable trusted-prefix directories, such as /opt/homebrew/bin, to execute arbitrary binaries within the OpenClaw process context. The issue stems from the shell-env component accepting shells either listed in /etc/shells or executables under hardcoded trusted prefixes like /bin, /usr/bin, /usr/local/bin, /opt/homebrew/bin, and /run/current-system/sw/bin. The selected shell is then executed as a login shell for environment probing.

Recommendations Update OpenClaw to version 2026.2.23 or later.