GHSA-jqpq-mgvm-f9r6: OpenClaw: Command hijacking via unsafe PATH handling (bootstrapping + node-host PATH overrides)

February 18, 2026

OpenClaw previously accepted untrusted PATH sources in limited situations. In affected versions, this could cause OpenClaw to resolve and execute an unintended binary (“command hijacking”) when running host commands.

This issue primarily matters when OpenClaw is relying on allowlist/safe-bin protections and expects PATH to be trustworthy.

References

github.com/advisories/GHSA-jqpq-mgvm-f9r6
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/013e8f6b3be3333a229a066eef26a45fec47ffcc
github.com/openclaw/openclaw/releases/tag/v2026.2.14
github.com/openclaw/openclaw/security/advisories/GHSA-jqpq-mgvm-f9r6

Code Behaviors & Features

Detect and mitigate GHSA-jqpq-mgvm-f9r6 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →