CVE-2026-29610: OpenClaw: Command hijacking via unsafe PATH handling (bootstrapping + node-host PATH overrides)
(updated )
OpenClaw previously accepted untrusted PATH sources in limited situations. In affected versions, this could cause OpenClaw to resolve and execute an unintended binary (“command hijacking”) when running host commands.
This issue primarily matters when OpenClaw is relying on allowlist/safe-bin protections and expects PATH to be trustworthy.
References
- github.com/advisories/GHSA-jqpq-mgvm-f9r6
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/013e8f6b3be3333a229a066eef26a45fec47ffcc
- github.com/openclaw/openclaw/releases/tag/v2026.2.14
- github.com/openclaw/openclaw/security/advisories/GHSA-jqpq-mgvm-f9r6
- nvd.nist.gov/vuln/detail/CVE-2026-29610
- www.vulncheck.com/advisories/openclaw-command-hijacking-via-unsafe-path-handling
Code Behaviors & Features
Detect and mitigate CVE-2026-29610 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →