Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
📦 npm

GHSA-jqpq-mgvm-f9r6

HIGH

OpenClaw: Command hijacking via unsafe PATH handling (bootstrapping + node-host PATH overrides)

Also known asCVE-2026-29610
Published
Feb 18, 2026
Updated
Mar 6, 2026
Affected
1 pkg
Patched
1 / 1
Exploits
None indexed

EPSS Exploitation Probability

via FIRST.org ↗
0.5%probability of exploitation in next 30 days
Lower Risk37th percentile+0.36%
0.00%0.32%0.64%0.96%0.1%0.1%0.1%0.5%Apr 26Jun 26Jun 26

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected

Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.

openclawnpm
3.7Mdownloads / week

Description

Command hijacking via PATH handling

Discovered: 2026-02-04 Reporter: @akhmittra

Summary

OpenClaw previously accepted untrusted PATH sources in limited situations. In affected versions, this could cause OpenClaw to resolve and execute an unintended binary ("command hijacking") when running host commands.

This issue primarily matters when OpenClaw is relying on allowlist/safe-bin protections and expects PATH to be trustworthy.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected: < 2026.2.14
  • Patched: >= 2026.2.14 (planned next release)

What Is Required To Trigger This

A) Node Host PATH override (remote command hijack)

An attacker needs all of the following:

  • Authenticated/authorized access to an execution surface that can invoke node-host execution (for example, a compromised gateway or a caller that can issue system.run).
  • A node host connected and exposing system.run.
  • A configuration where allowlist/safe-bins are expected to restrict execution (this is not meaningful if full arbitrary exec is already allowed).
  • The ability to pass request-scoped environment overrides (specifically PATH) into system.run.
  • A way to place an attacker-controlled executable earlier in PATH (for example, a writable directory on the node host), with a name that matches an allowlisted/safe-bin command that OpenClaw will run.

Notes:

  • OpenClaw deployments commonly require a gateway token/password (or equivalent transport authentication). This should not be treated as unauthenticated Internet RCE.
  • This scenario typically depends on non-standard / misconfigured deployments (for example, granting untrusted parties access to invoke node-host execution or otherwise exposing a privileged execution surface beyond the intended trust boundary).

B) Project-local PATH bootstrapping (local command hijack)

An attacker needs all of the following:

  • The victim runs OpenClaw from within an attacker-controlled working directory (for example, cloning and running inside a malicious repository).
  • That directory contains a node_modules/.bin/openclaw and additional attacker-controlled executables in the same directory.
  • OpenClaw subsequently executes a command by name (resolved via PATH) that matches one of those attacker-controlled executables.

Fix

  • Project-local node_modules/.bin PATH bootstrapping is now disabled by default. If explicitly enabled, it is append-only (never prepended) via OPENCLAW_ALLOW_PROJECT_LOCAL_BIN=1.
  • Node Host now ignores request-scoped PATH overrides.

Fix Commit(s)

  • 013e8f6b3be3333a229a066eef26a45fec47ffcc

Thanks @akhmittra for reporting.

Affected Packages

1 total 1 fixed
EcosystemPackageVulnerable rangeFix
📦npmopenclawall versions2026.2.14

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for openclaw. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update openclaw to 2026.2.14 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-jqpq-mgvm-f9r6 is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-jqpq-mgvm-f9r6 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-jqpq-mgvm-f9r6. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

# Command hijacking via PATH handling **Discovered:** 2026-02-04 **Reporter:** @akhmittra ## Summary OpenClaw previously accepted untrusted PATH sources in limited situations. In affected versions, this could cause OpenClaw to resolve and execute an unintended binary ("command hijacking") when running host commands. This issue primarily matters when OpenClaw is relying on allowlist/safe-bin protections and expects `PATH` to be trustworthy. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected: `< 2026.2.14` - Patched: `>= 2026.2.14` (planned next release) ## What Is Req
O3 Security · Impact-Aware SCA

Is GHSA-jqpq-mgvm-f9r6 in your dependencies?

O3 detects GHSA-jqpq-mgvm-f9r6 across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works