5 matches found
CVE-2026-41373
OpenClaw before 2026.3.31 contains an incomplete host-env-security-policy.json that fails to restrict compiler binary environment variables, allowing untrusted models to substitute CC, CXX, CARGOBUILDRUSTC, and CMAKECCOMPILER via environment overrides. Attackers with approved host-exec requests c...
CVE-2026-41373
OpenClaw vulnerable before 2026.3.31 due to an incomplete host-env-security-policy.json that does not restrict compiler environment variables. This allows untrusted models to substitute compiler binaries (CC, CXX, CARGO_BUILD_RUSTC, CMAKE_C_COMPILER) via environment overrides when an approved hos...
OpenClaw 安全漏洞
OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.3.22 contained security vulnerabilities. These vulnerabilities stemmed from incomplete host environment variable cleanup mechanisms in the host-env-security-policy.json and...
OpenClaw: Incomplete host-env-security-policy allows untrusted model to substitute compiler binaries via env overrides
Summary Incomplete host-env-security-policy.json allows untrusted model to substitute compiler binaries CC, CXX, CARGOBUILDRUSTC, CMAKECCOMPILER via env overrides on approved host exec requests Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: Shipped v2026.3....
GHSA-82G8-464F-2MV7 OpenClaw: Skill env override host env injection via applySkillConfigEnvOverrides (defense-in-depth)
Summary applySkillConfigEnvOverrides previously copied skills.entries..env values into the host process.env without applying the host env safety policy. Impact In affected versions, dangerous process-level variables such as NODEOPTIONS could be injected when unset, which can influence...