CVE-2026-22217: OpenClaw: shell-env trusted-prefix fallback allowed attacker-controlled binary execution via $SHELL
(updated )
shell-env fallback trusted prefix-based executable paths for $SHELL, allowing execution of attacker-controlled binaries in local/runtime-env influence scenarios.
References
- github.com/advisories/GHSA-p4wh-cr8m-gm6c
- github.com/openclaw/openclaw/commit/ff10fe8b91670044a6bb0cd85deb736a0ec8fb55
- github.com/openclaw/openclaw/security/advisories/GHSA-p4wh-cr8m-gm6c
- nvd.nist.gov/vuln/detail/CVE-2026-22217
- www.vulncheck.com/advisories/openclaw-arbitrary-binary-execution-via-shell-environment-variable-trusted-prefix-fallback
Code Behaviors & Features
Detect and mitigate CVE-2026-22217 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →