3 matches found
CVE-2026-22177 OpenClaw < 2026.2.21 - Environment Variable Injection via Config env.vars
OpenClaw versions prior to 2026.2.21 fail to filter dangerous process-control environment variables from config env.vars, allowing startup-time code execution. Attackers can inject variables like NODEOPTIONS or LD through configuration to execute arbitrary code in the OpenClaw gateway service...
OpenClaw's config env vars allowed startup env injection into service runtime
Summary OpenClaw allowed dangerous process-control environment variables from env.vars for example NODEOPTIONS, LD, DYLD to flow into gateway service runtime environments, enabling startup-time code execution in the OpenClaw process context. Details collectConfigEnvVars accepted unfiltered keys...
GHSA-8FMP-37RC-P5G7 OpenClaw's config env vars allowed startup env injection into service runtime
Summary OpenClaw allowed dangerous process-control environment variables from env.vars for example NODEOPTIONS, LD, DYLD to flow into gateway service runtime environments, enabling startup-time code execution in the OpenClaw process context. Details collectConfigEnvVars accepted unfiltered keys...