system.run allowed SHELLOPTS + PS4 environment injection to trigger command substitution during bash -lc xtrace expansion before the allowlisted command body executed.
openclaw (npm)<= 2026.2.21-2 (includes latest published npm version at triage time)2026.2.22In allowlist mode, an attacker who can invoke system.run with request-scoped env could execute additional shell commands outside the intended allowlisted command body.
Host exec env sanitization blocked startup-file vectors (BASH_ENV, ENV, etc.) but did not block SHELLOPTS/PS4. For shell wrappers (bash|sh|zsh ... -c/-lc), request env overrides were passed through and bash evaluated PS4 under xtrace, enabling command substitution.
SHELLOPTS and PS4 in host exec env sanitizers (Node + macOS).bash|sh|zsh ... -c/-lc), reduce request-scoped env overrides to an explicit allowlist (TERM, LANG, LC_*, COLORTERM, NO_COLOR, FORCE_COLOR).e80c803fa887f9699ad87a9e906ab5c1ff85bd9apatched_versions is pre-set to the planned next release (2026.2.22). Once npm release 2026.2.22 is published, advisory publication is a final state action only.
This advisory is rated medium because exploitation requires a caller that can already invoke system.run with request-scoped env.
Under OpenClaw's documented trust model (SECURITY.md), authenticated Gateway callers are treated as trusted operators, and adversarial multi-operator / prompt-injection scenarios are out of scope.
The bug remains a real allowlist-intent bypass, but it does not cross a separate trust boundary in the documented deployment assumptions.
OpenClaw thanks @tdjackey for reporting.
2026.2.22Exploitability
AV:NAC:HAT:NPR:HUI:NVulnerable System
VC:HVI:HVA:HSubsequent System
SC:NSI:NSA:N7.5/CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N