Lucene search
K

5 matches found

Github Security Blog
Github Security Blog
added 2026/06/16 9:32 p.m.10 views

Duplicate Advisory: Host environment sanitizer missed two Node.js control variables

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-ccwh-wwpp-6wg5. This link is maintained to preserve external references. Original Description OpenClaw before 2026.5.26 contains an insufficient sanitization vulnerability in the host environment sanitizer that...

8.1CVSS5.2AI score0.00246EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/03/31 11:59 p.m.2 views

GHSA-J7P2-QCWM-94V4 OpenClaw's incomplete host env sanitization blocklist allows supply-chain redirection via package-manager env overrides

Summary Host exec env override sanitization did not fail closed for several package-manager and related redirect variables that can steer dependency fetches or startup behavior. Impact An approved exec request could silently redirect package resolution or runtime bootstrap to attacker-controlled...

9.6CVSS6AI score0.00241EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added 2026/03/12 12:30 p.m.8 views

Duplicate Advisory: OpenClaw: Skill env override host env injection via applySkillConfigEnvOverrides (defense-in-depth)

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-82g8-464f-2mv7. This link is maintained to preserve external references. Original Description A vulnerability was determined in OpenClaw 2026.2.19-2. This vulnerability affects the function...

8.8CVSS5.6AI score0.00316EPSS
Exploits0References9Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/03/12 12:2 p.m.10 views

CVE-2026-4039

A vulnerability was determined in OpenClaw 2026.2.19-2. This vulnerability affects the function applySkillConfigenvOverrides of the component Skill Env Handler. Executing a manipulation can lead to code injection. It is possible to launch the attack remotely. Upgrading to version 2026.2.21-beta.1...

6.5CVSS5.7AI score0.00316EPSS
Exploits0References8
Github Security Blog
Github Security Blog
added 2026/02/27 9:36 p.m.12 views

OpenClaw: Skill env override host env injection via applySkillConfigEnvOverrides (defense-in-depth)

Summary applySkillConfigEnvOverrides previously copied skills.entries..env values into the host process.env without applying the host env safety policy. Impact In affected versions, dangerous process-level variables such as NODEOPTIONS could be injected when unset, which can influence...

8.8CVSS5.9AI score0.00316EPSS
Exploits0References5Affected Software1
Rows per page
Query Builder