8.8
CVE-2026-24763
- EPSS 4.77%
- Veröffentlicht 02.02.2026 23:16:08
- Zuletzt bearbeitet 13.02.2026 14:28:51
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginAuthenticated Command Injection in OpenClaw Docker Execution via PATH Environment Variable
OpenClaw (formerly Clawdbot) is a personal AI assistant you run on your own devices. Prior to 2026.1.29, a command injection vulnerability existed in OpenClaw’s Docker sandbox execution mechanism due to unsafe handling of the PATH environment variable when constructing shell commands. An authenticated user able to control environment variables could influence command execution within the container context. This vulnerability is fixed in 2026.1.29.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 4.77% | 0.908 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
https://github.com/openclaw/openclaw/commit/771f23d36b95ec2204cc9a0054045f5d8439ea75
https://github.com/openclaw/openclaw/releases/tag/v2026.1.29
https://github.com/openclaw/openclaw/security/advisories/GHSA-mc68-q9jw-2h3v