3 matches found
GHSA-XRGF-R9GR-JJJF Duplicate Advisory: OpenClaw: Exec environment denylist missed high-risk interpreter startup variables
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-vfp4-8x56-j7c5. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.10 contains an insufficient environment variable denylist vulnerability in its exec environmen...
CVE-2026-43584
OpenClaw prior to version 2026.4.10 is affected by an insufficient environment variable denylist in the exec policy. This vulnerability allows operator-supplied overrides of high-risk interpreter startup variables (VIMINIT, EXINIT, LUA_INIT, HOSTALIASES), enabling manipulation of downstream execu...
GHSA-MJ59-H3Q9-GHFH OpenClaw: MCP stdio server env could load dangerous startup variables from workspace config
Affected Packages / Versions - Package: openclaw npm - Affected versions: 2026.4.20 - Patched version: 2026.4.20 Impact Workspace MCP stdio configuration could pass dangerous process-startup environment variables such as NODEOPTIONS, LDPRELOAD, or BASHENV to the spawned MCP server process. In a...