CVE-2026-29610

Command hijacking via PATH handling

Discovered: 2026-02-04

Reporter: @akhmittra

Summary

OpenClaw previously accepted untrusted PATH sources in limited situations. In affected versions, this could cause OpenClaw to resolve and execute an unintended binary ("command hijacking") when running host commands.

This issue primarily matters when OpenClaw is relying on allowlist/safe-bin protections and expects PATH to be trustworthy.

Affected Packages / Versions

• Package: openclaw (npm)
• Affected: < 2026.2.14
• Patched: >= 2026.2.14 (planned next release)

What Is Required To Trigger This

A) Node Host PATH override (remote command hijack)

An attacker needs all of the following:

• Authenticated/authorized access to an execution surface that can invoke node-host execution (for example, a compromised gateway or a caller that can issue system.run).
• A node host connected and exposing system.run.
• A configuration where allowlist/safe-bins are expected to restrict execution (this is not meaningful if full arbitrary exec is already allowed).
• The ability to pass request-scoped environment overrides (specifically PATH) into system.run.
• A way to place an attacker-controlled executable earlier in PATH (for example, a writable directory on the node host), with a name that matches an allowlisted/safe-bin command that OpenClaw will run.

Notes:

• OpenClaw deployments commonly require a gateway token/password (or equivalent transport authentication). This should not be treated as unauthenticated Internet RCE.
• This scenario typically depends on non-standard / misconfigured deployments (for example, granting untrusted parties access to invoke node-host execution or otherwise exposing a privileged execution surface beyond the intended trust boundary).

B) Project-local PATH bootstrapping (local command hijack)

An attacker needs all of the following:

• The victim runs OpenClaw from within an attacker-controlled working directory (for example, cloning and running inside a malicious repository).
• That directory contains a node_modules/.bin/openclaw and additional attacker-controlled executables in the same directory.
• OpenClaw subsequently executes a command by name (resolved via PATH) that matches one of those attacker-controlled executables.

Fix

• Project-local node_modules/.bin PATH bootstrapping is now disabled by default. If explicitly enabled, it is append-only (never prepended) via OPENCLAWALLOWPROJECTLOCALBIN=1.
• Node Host now ignores request-scoped PATH overrides.

Fix Commit(s)

• 013e8f6b3be3333a229a066eef26a45fec47ffcc

Thanks @akhmittra for reporting.