Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
High

Command Injection in OpenClaw Docker Sandbox via PATH Manipulation

IdentifiersCVE-2026-24763CWE-78· Improper Neutralization of Special…

CVE-2026-24763 is a command injection vulnerability in OpenClaw (formerly Clawdbot) affecting versions prior to 2026.1.29. The flaw exists in the Docker sandbox execution mechanism due to unsafe handling of the PATH environment variable while constructing shell commands. An authenticated user who can control environment variables passed into the Docker execution context can manipulate PATH so that unintended commands are executed within the container context. Supporting reporting also describes the issue as enabling a Docker sandbox escape or host access via PATH manipulation in certain deployments.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an attacker to influence or hijack command execution in OpenClaw’s Docker sandbox, resulting in unintended command execution inside the container. This can expose container-resident data such as filesystem contents, environment variables, and secrets available to the sandboxed process. In misconfigured, overly permissive, or privileged container deployments, the impact may extend beyond the container boundary and enable access to the host system, substantially increasing severity and potentially leading to broader compromise.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by disabling Docker sandbox mode where operationally feasible, and prevent untrusted or low-trust users from supplying or controlling environment variables passed into the Docker execution context, especially PATH. Harden container runtime settings to avoid privileged containers, minimize mounted host filesystems, restrict secret exposure, and enforce least-privilege container configurations to limit the consequences of container-level command execution.

Remediation

Patch, then assume compromise.

Upgrade OpenClaw / clawdbot to version 2026.1.29 or later, which fixes the unsafe PATH handling in Docker sandbox command construction and includes regression coverage to prevent reintroduction. Verify that all deployments, including older Clawdbot or Moltbot-branded instances, are updated to a patched build.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
OpenclawClawdbotapplication
OpenclawOpenclawapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app
cyberthroneNews
Mar 18, 2026
OpenClaw: The Open-Source AI Agent Rewriting the Threat Landscape - TheCyberThrone

One of several additional OpenClaw vulnerabilities mentioned as part of a broader stack of moderate- to high-severity flaws affecting the platform.

Read more
dark readingNews
Mar 2, 2026
Critical OpenClaw Vulnerability Exposes AI Agent Risks

Unknown (referenced as part of a set of OpenClaw security issues; details not provided in the content).

Read more
the hacker newsNews
Feb 28, 2026
ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket

One of several recently disclosed OpenClaw vulnerabilities, ranging from moderate to high severity, that could lead to serious impacts such as remote code execution, command injection, SSRF, authentication bypass, or path traversal.

Read more
cyber security newsNews
Feb 10, 2026
15,200 OpenClaw Control Panels with Full System Access Exposed to Internet

A Docker/container escape affecting OpenClaw deployments, where PATH manipulation enables an agent to break out of the container sandbox and access the underlying host system.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity6

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-24763
NVD
nvd.nist.gov/vuln/detail/CVE-2026-24763
MITRE CWE · CWE-78
Improper Neutralization of Special Elements…
Patch
github.com/openclaw/openclaw/commit/771f23d36b95ec2204cc9a0054045f5d8439ea75
Vendor Advisory
github.com/openclaw/openclaw/security/advisories/GHSA-mc68-q9jw-2h3v
Release Notes
github.com/openclaw/openclaw/releases/tag/v2026.1.29