CVE-2026-29610
Published: 05 March 2026
Summary
CVE-2026-29610 is a high-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Openclaw Openclaw. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by PATH Environment Variable (T1574.007); ranked at the 27.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-10 (Software Usage Restrictions) and CM-11 (User-installed Software).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2026-29610 by requiring timely remediation of the specific flaw through patching to OpenClaw 2026.2.14 or later.
Enforces deny-all, permit-by-exception policy for software execution, preventing malicious binaries from overriding allowlisted safe-bin commands via PATH manipulation.
Restricts user installation of unauthorized software, preventing attackers from placing malicious executables in PATH during node-host execution or project-local bootstrapping.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct match to PATH environment variable manipulation for hijacking allowlisted binaries (CWE-427), enabling arbitrary command execution via T1574.007 Path Interception by PATH Environment Variable.
NVD Description
OpenClaw versions prior to 2026.2.14 contain a command hijacking vulnerability that allows attackers to execute unintended binaries by manipulating PATH environment variables through node-host execution or project-local bootstrapping. Attackers with authenticated access to node-host execution surfaces or those running OpenClaw…
more
in attacker-controlled directories can place malicious executables in PATH to override allowlisted safe-bin commands and achieve arbitrary command execution.
Deeper analysisAI
CVE-2026-29610 is a command hijacking vulnerability (CWE-427) affecting OpenClaw versions prior to 2026.2.14. The flaw enables attackers to execute unintended binaries by manipulating PATH environment variables during node-host execution or project-local bootstrapping processes.
Attackers with authenticated access to node-host execution surfaces, or those running OpenClaw in attacker-controlled directories, can exploit this by placing malicious executables in the PATH to override allowlisted safe-bin commands, resulting in arbitrary command execution. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impact with network accessibility, low attack complexity, and low privileges required.
Advisories recommend upgrading to OpenClaw 2026.2.14 or later to mitigate the issue, with the fixing commit available at https://github.com/openclaw/openclaw/commit/013e8f6b3be3333a229a066eef26a45fec47ffcc. Further details on the vulnerability and remediation are provided in the GitHub Security Advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-jqpq-mgvm-f9r6 and the VulnCheck advisory at https://www.vulncheck.com/advisories/openclaw-command-hijacking-via-unsafe-path-handling.
Details
- CWE(s)