Shell-wrapper Detection Bypass in OpenClaw Products by OpenClaw
CVE-2026-42435

8.7HIGH

Key Information:

Vendor

Openclaw

Status
Openclaw
Vendor
CVE Published:
5 May 2026

What is CVE-2026-42435?

OpenClaw versions from 2026.2.22 to 2026.4.11 are susceptible to a shell-wrapper detection bypass vulnerability. This flaw allows attackers to inject environment variable assignments at the argv level, effectively circumventing exec preflight handling and enabling manipulation of crucial shell variables such as SHELLOPTS and PS4. Such manipulations can severely compromise the execution semantics and security mechanisms in place, resulting in potential exploitation risks.

Affected Version(s)

OpenClaw 2026.2.22 < 2026.4.12

OpenClaw 2026.4.12

References

https://github.com/openclaw/openclaw/security/advisories/...
vendor-advisory
https://github.com/openclaw/openclaw/commit/8f8492d172f4c...
patch
https://www.vulncheck.com/advisories/openclaw-shell-wrapp...
third-party-advisory

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.