CVE-2026-24763: OpenClaw/Clawdbot Docker Execution has Authenticated Command Injection via PATH Environment Variable
(updated )
A Command Injection vulnerability existed in Clawdbot’s Docker sandbox execution mechanism due to unsafe handling of the PATH environment variable when constructing shell commands.
An authenticated user able to control environment variables could influence command execution within the container context. This issue has been fixed and regression tests have been added to prevent reintroduction.
References
- github.com/advisories/GHSA-mc68-q9jw-2h3v
- github.com/clawdbot/clawdbot/security/advisories/GHSA-mc68-q9jw-2h3v
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/771f23d36b95ec2204cc9a0054045f5d8439ea75
- github.com/openclaw/openclaw/releases/tag/v2026.1.29
- github.com/openclaw/openclaw/security/advisories/GHSA-mc68-q9jw-2h3v
- nvd.nist.gov/vuln/detail/CVE-2026-24763
Code Behaviors & Features
Detect and mitigate CVE-2026-24763 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →