{"id":"CVE-2026-22217","details":"OpenClaw version 2026.2.22 prior to 2026.2.23 contain an arbitrary code execution vulnerability in shell-env that allows attackers to execute attacker-controlled binaries by exploiting trusted-prefix fallback logic for the $SHELL variable. An attacker can influence the $SHELL environment variable on systems with writable trusted-prefix directories such as /opt/homebrew/bin to execute arbitrary binaries in the OpenClaw process context.","aliases":["GHSA-p4wh-cr8m-gm6c"],"modified":"2026-04-10T05:41:18.899112Z","published":"2026-03-18T02:16:23.003Z","references":[{"type":"ADVISORY","url":"https://www.vulncheck.com/advisories/openclaw-arbitrary-binary-execution-via-shell-environment-variable-trusted-prefix-fallback"},{"type":"ADVISORY","url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-p4wh-cr8m-gm6c"},{"type":"FIX","url":"https://github.com/openclaw/openclaw/commit/ff10fe8b91670044a6bb0cd85deb736a0ec8fb55"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openclaw/openclaw","events":[{"introduced":"a54dc7fe80fc02e2a02e6901668a468fcb0cf8b4"},{"fixed":"b817600533129771ace2801d7c05901c7f850fb8"},{"fixed":"ff10fe8b91670044a6bb0cd85deb736a0ec8fb55"}],"database_specific":{"versions":[{"introduced":"2026.2.22"},{"fixed":"2026.2.23"}]}}],"versions":["v2026.2.22","v2026.2.23-beta.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-22217.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}