{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-62203/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-62203"},{"cvss":7.1,"id":"CVE-2026-62205"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OpenClaw (before 2026.6.6)","OpenClaw (\u003c 2026.6.6)"],"_cs_severities":["high"],"_cs_tags":["cve-2026-62203","vulnerability","environment-variable","code-execution","persistence"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eA high-severity vulnerability, identified as CVE-2026-62203, affects OpenClaw versions before 2026.6.6. This flaw resides within the \u003ccode\u003ehost exec\u003c/code\u003e component, which is responsible for executing commands, and specifically relates to its failure to properly sanitize \u003ccode\u003erustup\u003c/code\u003e startup environment variables. Attackers who have already gained lower-trust caller access to a system running a vulnerable OpenClaw application, or who can provide input through configured paths, can exploit this vulnerability. Successful exploitation grants the attacker the ability to execute arbitrary commands or establish persistence on the affected system, bypassing intended authorization levels and potentially leading to full system compromise. The vulnerability was published on July 17, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker obtains \u0026quot;lower-trust caller access\u0026quot; to a system or can provide input via \u0026quot;configured input paths\u0026quot; to an OpenClaw application.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates inputs or environment variables passed to the OpenClaw application.\u003c/li\u003e\n\u003cli\u003eThe OpenClaw application invokes its \u003ccode\u003ehost exec\u003c/code\u003e component to perform an action.\u003c/li\u003e\n\u003cli\u003eDuring this execution, the \u003ccode\u003ehost exec\u003c/code\u003e component fails to properly sanitize \u003ccode\u003erustup\u003c/code\u003e startup environment variables crafted by the attacker.\u003c/li\u003e\n\u003cli\u003eThe unsanitized environment variables allow the injection of malicious commands or modification of the legitimate execution flow.\u003c/li\u003e\n\u003cli\u003eThe system executes attacker-controlled commands under the context of the vulnerable application.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves unauthorized command execution and/or establishes persistence mechanisms on the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-62203 can lead to severe consequences, including complete compromise of the confidentiality, integrity, and availability of the affected system. Attackers can execute arbitrary code, potentially leading to data exfiltration, system corruption, or the deployment of additional malicious payloads such as ransomware. The ability to establish persistence means that attackers can maintain access to the compromised system even after reboots or security remediations, enabling long-term unauthorized control. This vulnerability poses a significant risk to organizations using affected OpenClaw versions, as it can allow threat actors to escalate privileges and achieve their objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-62203 immediately by updating OpenClaw to version 2026.6.6 or later to remediate the environment variable filtering vulnerability.\u003c/li\u003e\n\u003cli\u003eReview access controls to OpenClaw applications to ensure that only trusted callers can interact with them and that all input paths are rigorously validated.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-17T02:23:53Z","date_published":"2026-07-17T02:23:26Z","id":"https://feed.craftedsignal.io/briefs/2026-07-openclaw-env-var-vuln/","summary":"OpenClaw versions prior to 2026.6.6 contain an environment variable filtering vulnerability in its host exec component that fails to properly sanitize rustup startup variables, allowing attackers with lower-trust caller access or configured input paths to execute or persist actions beyond their intended authorization level.","title":"OpenClaw Environment Variable Filtering Vulnerability Allows Execution and Persistence","url":"https://feed.craftedsignal.io/briefs/2026-07-openclaw-env-var-vuln/"}],"language":"en","title":"CraftedSignal Threat Feed - Cve-2026-62203","version":"https://jsonfeed.org/version/1.1"}