NPM: OpenClaw: MCP stdio server env could load dangerous startup variables from workspace config

NPM: OpenClaw: MCP stdio server env could load dangerous startup variables from workspace config vulnerability discovered by ? in WordPress Npm openclaw versions 2026.4.20...

CVE-2026-22177 OpenClaw < 2026.2.21 - Environment Variable Injection via Config env.vars

OpenClaw versions prior to 2026.2.21 fail to filter dangerous process-control environment variables from config env.vars, allowing startup-time code execution. Attackers can inject variables like NODEOPTIONS or LD through configuration to execute arbitrary code in the OpenClaw gateway service...

GHSA-82G8-464F-2MV7 OpenClaw: Skill env override host env injection via applySkillConfigEnvOverrides (defense-in-depth)

Summary applySkillConfigEnvOverrides previously copied skills.entries..env values into the host process.env without applying the host env safety policy. Impact In affected versions, dangerous process-level variables such as NODEOPTIONS could be injected when unset, which can influence...

AutomatedShops WebC 2.0/5.0 Symbolic Link Following Configuration File Weakness

No description provided by source. source: http://www.securityfocus.com/bid/7272/info It has been reported that WebC will execute in the directory of a symbolic link from which it is invoked. Because of this, it may be possible for a local user to load a configuration file that enabled dangerous...

AutomatedShops WebC 2.0/5.0 - Symbolic Link Following Configuration File

source: https://www.securityfocus.com/bid/7272/info It has been reported that WebC will execute in the directory of a symbolic link from which it is invoked. Because of this, it may be possible for a local user to load a configuration file that enabled dangerous variables. $ cd /tmp $ ln -s...