Platform
nodejs
Component
openclaw
Fixed in
2026.2.22
2026.2.22
CVE-2026-32056 describes a remote code execution (RCE) vulnerability in the openclaw Node.js package. This flaw arises from insufficient sanitization of environment variables, specifically HOME and ZDOTDIR, which can be exploited to execute attacker-controlled startup files before the allowlisted command body is evaluated. The vulnerability affects versions of openclaw up to and including 2026.2.21-2, with a patched version 2026.2.22 available.
An attacker exploiting CVE-2026-32056 can achieve remote code execution on systems utilizing vulnerable versions of the openclaw package. This is achieved by crafting malicious environment variables that trigger the execution of attacker-controlled startup files. The potential impact is severe, ranging from unauthorized access to sensitive data and system resources to complete system compromise. This vulnerability shares similarities with other environment variable injection attacks, where attackers manipulate environment variables to execute arbitrary code. The blast radius extends to any application or service relying on the vulnerable openclaw package, potentially impacting a wide range of deployments.
CVE-2026-32056 was published on 2026-03-03. The vulnerability's severity is rated as HIGH (CVSS 7.5). Currently, there are no publicly known exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog as of this writing. The availability of a patched version suggests that the vulnerability was discovered through internal testing or security research.
Exploit Status
EPSS
0.14% (34% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-32056 is to upgrade the openclaw package to version 2026.2.22 or later. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider temporarily restricting the HOME and ZDOTDIR environment variables within the application's execution context. While not a complete solution, this can reduce the attack surface. Monitor system logs for suspicious activity related to process execution and environment variable manipulation. Implement a Web Application Firewall (WAF) to filter potentially malicious requests targeting the openclaw package. After upgrading, confirm the fix by running a test application that utilizes openclaw and verifies that the startup files are not executed with attacker-controlled content.
Update OpenClaw to version 2026.2.22 or later. This corrects the environment variable injection vulnerability that allows remote code execution. The update can be performed through the Python package manager (pip) or by downloading the new version from the official repository.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32056 is a remote code execution vulnerability in the openclaw Node.js package where unsanitized environment variables can lead to the execution of attacker-controlled startup files.
You are affected if you are using openclaw versions 2026.2.21-2 or earlier. Check your project's dependencies using npm list openclaw.
Upgrade to openclaw version 2026.2.22 or later. If immediate upgrade is not possible, temporarily restrict the HOME and ZDOTDIR environment variables.
As of now, there are no publicly known exploits or active campaigns targeting CVE-2026-32056, but it's crucial to apply the patch promptly.
Refer to the openclaw project's repository or npm package page for the latest advisory and release notes: [https://www.npmjs.com/package/openclaw](https://www.npmjs.com/package/openclaw)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.