CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



GHSA-CM8V-2VH9-CXF3

GHSA-cm8v-2vh9-cxf3: Remote Code Execution via Incomplete Environment Variable Denylist in OpenClaw

Alon Barad
Alon Barad
Software Engineer

Apr 10, 2026·6 min read·16 visits

Executive Summary (TL;DR)

An incomplete denylist in OpenClaw's host execution security policy fails to block Git plumbing environment variables like GIT_DIR. Attackers can inject these variables to redirect Git operations to malicious repositories, leading to arbitrary code execution via Git hooks.

OpenClaw, an open-source AI assistant tool, suffers from a command execution vulnerability due to an incomplete blocklist of environment variables. The failure to filter Git plumbing variables such as GIT_DIR allows attackers to hijack subsequent Git command executions and achieve arbitrary code execution.

Vulnerability Overview

OpenClaw is an AI assistant tool available as an npm package. It provides functionality to execute shell commands on the host system to perform tasks such as file management and build processes. To mitigate command injection and execution risks, the application implements a security policy that sanitizes environment variables passed to child processes.

The security enforcement mechanisms rely on a blocklist approach defined within the src/infra/host-env-security-policy.json configuration file. The underlying enforcement logic is implemented in src/infra/host-env-security.ts. This sanitization process strips known dangerous variables, such as LD_PRELOAD, before executing external commands.

Vulnerability GHSA-cm8v-2vh9-cxf3 represents a failure in this blocklist mechanism, categorized as CWE-184: Incomplete List of Disallowed Elements. The blocklist omitted several Git-specific plumbing environment variables. This omission provides an avenue for attackers to manipulate the execution context of legitimate tools invoked by OpenClaw.

Root Cause Analysis

The vulnerability originates from the incomplete nature of the environment variable denylist used during command execution. While the application successfully blocked common exploitation vectors like library preloading, it failed to account for tool-specific configuration variables. This is part of a broader class of build tool environment injection vulnerabilities discovered in early 2026.

The core issue lies in the omission of Git plumbing variables, specifically GIT_DIR, GIT_WORK_TREE, GIT_INDEX_FILE, GIT_OBJECT_DIRECTORY, and GIT_ALTERNATE_OBJECT_DIRECTORIES. These variables define the foundational paths and state mechanisms that the Git binary relies on during execution. When these variables are externally controlled, they override the standard behavior of the Git executable.

By manipulating GIT_DIR, an attacker specifies an arbitrary directory as the root of the Git repository. The Git executable will then read configuration files and hook scripts from this attacker-controlled directory rather than the legitimate workspace. This redirection fundamentally breaks the trust boundary between the OpenClaw execution environment and the host system.

Code Analysis

The vulnerable implementation utilized a static JSON array to define forbidden environment variables. Prior to version 2026.4.8, this array missed the critical Git plumbing variables. The oversight allowed malicious values to pass through the host-env-security.ts filter unhindered.

The following code block illustrates the state of src/infra/host-env-security-policy.json before the patch. The array lacks the necessary Git-specific entries.

{
  "blockedEnvironmentVariables": [
    "LD_PRELOAD",
    "LD_LIBRARY_PATH",
    "NODE_OPTIONS",
    "PYTHONPATH"
  ]
}

The patch introduced in version 2026.4.8 explicitly adds the missing Git variables to the denylist. This update ensures that any exec request attempting to set these variables is intercepted and sanitized.

{
  "blockedEnvironmentVariables": [
    "LD_PRELOAD",
    "LD_LIBRARY_PATH",
    "NODE_OPTIONS",
    "PYTHONPATH",
    "GIT_DIR",
    "GIT_WORK_TREE",
    "GIT_INDEX_FILE",
    "GIT_OBJECT_DIRECTORY",
    "GIT_ALTERNATE_OBJECT_DIRECTORIES"
  ]
}

While this patch remediates the immediate vulnerability, relying exclusively on a denylist remains an inherent architectural weakness. The application must continually update this list as new tools and environment variables are introduced. A more resilient approach would involve a strict allowlist of permitted environment variables.

Exploitation

Exploitation requires the attacker to influence the environment variables passed to an exec call within OpenClaw. This can be achieved through a malicious skill, a compromised plugin, or crafted user input that interacts with the command execution pipeline. The attacker first prepares a malicious directory on the host system or relies on an existing writable path.

The attacker populates this directory with a .git/hooks/ structure containing an executable script, such as a pre-commit or post-checkout hook. The payload within the hook script contains the arbitrary commands the attacker wishes to execute. The attacker then submits a request to OpenClaw that injects the GIT_DIR environment variable, pointing it to the prepared directory.

When OpenClaw subsequently executes any legitimate Git command as part of its normal operation, the Git binary parses the injected GIT_DIR variable. It redirects its execution context to the attacker's directory and executes the malicious hook script. This results in arbitrary code execution within the context of the OpenClaw application process.

Impact Assessment

Successful exploitation of this vulnerability yields arbitrary code execution on the host system running OpenClaw. The executed code runs with the privileges of the OpenClaw process. This access allows the attacker to compromise the confidentiality, integrity, and availability of the underlying system.

In terms of confidentiality, the attacker gains the ability to read sensitive files, including source code, configuration files, and credentials stored on the host. Integrity is compromised as the attacker can modify application state, tamper with source repositories, or back-door the system. Availability is affected as the attacker can terminate processes, delete critical files, or consume system resources.

The complexity of the attack is relatively high, as it requires the attacker to find a reliable method to inject environment variables into the execution pipeline and chain it with a subsequent Git command execution. However, the privileges required are low, as any approved execution request or malicious plugin can potentially trigger the flaw.

Remediation

The primary remediation strategy is to upgrade the OpenClaw npm package to version 2026.4.8 or later. This version contains the comprehensive fix for the build tool injection class of vulnerabilities, including the addition of the missing Git plumbing variables to the security policy denylist. Development teams should integrate this update into their dependency management pipelines immediately.

If an immediate upgrade is not feasible, administrators can implement mitigating controls by restricting the application's ability to execute shell commands. This may involve disabling specific plugins or skills that rely on host command execution. Additionally, running the OpenClaw process within a restricted environment, such as a strictly configured container or a sandbox with limited file system access, can contain the impact of successful exploitation.

Security and development teams should review custom application logic that interacts with exec or spawn functions. Ensuring that environment variables are strictly sanitized or, preferably, validated against a minimal allowlist is critical for preventing similar injection vulnerabilities. Continuous monitoring for anomalous child process execution can also aid in detecting exploitation attempts.

Technical Appendix

CVSS Score
8.8/ 10
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Systems

OpenClaw npm package (< 2026.4.8)

Affected Versions Detail

Product
Affected Versions
Fixed Version
openclaw
OpenClaw
< 2026.4.82026.4.8
AttributeDetail
CWECWE-184
Attack VectorLocal / Execution Pipeline
ImpactArbitrary Code Execution (RCE)
CVSS8.8
Exploit StatusConfirmed Vector
RemediationUpgrade to 2026.4.8

MITRE ATT&CK Mapping

T1059.004Command and Scripting Interpreter: Unix Shell
Execution
T1554Compromise Client Software Binary
Persistence
T1574Hijack Execution Flow
Privilege Escalation
CWE-184
Incomplete List of Disallowed Elements

The software uses a denylist to prevent specific variables, but fails to include necessary values, allowing an attacker to bypass intended restrictions.

Vulnerability Timeline

Discovery of initial variant GHSA-m866-6qv5-p2fg
2026-03-25
Identification of the broader GHSA-cm8v-2vh9-cxf3 class of vulnerabilities
2026-04-02
Disclosure of GHSA-cm8v-2vh9-cxf3
2026-04-07
Release of openclaw version 2026.4.8 containing the patch
2026-04-08

References & Sources

  • [1]GitHub Advisory: GHSA-cm8v-2vh9-cxf3
  • [2]Parent Advisory (GHSA-m866-6qv5-p2fg)
  • [3]Related Variant (GHSA-7437-7hg8-frrw)
  • [4]OpenClaw Repository
  • [5]Vulnerability Tracker
Related Vulnerabilities
GHSA-m866-6qv5-p2fgGHSA-7437-7hg8-frrw

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 12 hours ago•CVE-2026-53634
4.3

CVE-2026-53634: Missing Authorization in Code16 Sharp Quick Creation Command Controller

Code16 Sharp versions from 9.0.0 up to (but not including) 9.22.3 are vulnerable to a missing authorization flaw in the Quick Creation Command feature. The ApiEntityListQuickCreationCommandController fails to validate entity-level 'create' policies before returning administrative form designs or processing database modifications. Authenticated users with restricted access can bypass policy boundaries to access creation configurations and insert records.

Alon Barad
Alon Barad
6 views•5 min read
•about 12 hours ago•CVE-2026-49471
8.3

CVE-2026-49471: Unauthenticated Remote Code Execution in Serena MCP Toolkit via DNS Rebinding and Memory Poisoning

CVE-2026-49471 is a high-severity security vulnerability in Serena, an AI-assisted coding Model Context Protocol (MCP) toolkit. In versions prior to v1.5.2, Serena's built-in web dashboard exposes an unauthenticated Flask API on a predictable port. Lacking host validation and CSRF protections, this endpoint is vulnerable to DNS Rebinding. An attacker can lure a user to a malicious webpage, bypass the Same-Origin Policy (SOP), rewrite the AI agent's persistent memory, and execute arbitrary commands on the host operating system via the autonomous agent's shell execution engine.

Alon Barad
Alon Barad
11 views•5 min read
•about 13 hours ago•GHSA-MXWC-WH95-PW4G
5.3

GHSA-MXWC-WH95-PW4G: Denial of Service via Uncontrolled Recursion in Trapster DNS Parser

The trapster honeypot package is vulnerable to a remote denial of service (DoS) vulnerability due to uncontrolled recursion during the parsing of malformed DNS compression pointers in the decode_labels function.

Amit Schendel
Amit Schendel
7 views•6 min read
•about 13 hours ago•GHSA-Q95X-7G78-RCCV
6.3

GHSA-Q95X-7G78-RCCV: Safe Rust Memory Corruption via Use-After-Free in oneringbuf Crate

A critical Use-After-Free (UAF) memory corruption vulnerability exists in the oneringbuf Rust crate prior to version 0.8.0. The vulnerability allows safe Rust code to instantiate and clone reference wrappers that point to heap-allocated ring buffers. Dropping one wrapper prematurely reclaims the backing memory, leading to dangling pointer references and subsequent Use-After-Free or Double Free states.

Amit Schendel
Amit Schendel
7 views•7 min read
•1 day ago•CVE-2026-53359
8.8

CVE-2026-53359: Use-After-Free in Linux Kernel KVM Shadow MMU (Januscape)

Januscape (CVE-2026-53359) is a critical Use-After-Free vulnerability in the x86 Shadow MMU component of the Linux Kernel's KVM subsystem. A logic error in shadow page tracking permits unauthorized page reuse without validating architectural execution roles, leading to dangling pointers in reverse mapping (rmap) tracking entries during guest memory teardown.

Amit Schendel
Amit Schendel
114 views•5 min read
•1 day ago•CVE-2026-48282
10.0

CVE-2026-48282: Unauthenticated Path Traversal and Arbitrary File Write in Adobe ColdFusion Remote Development Services

CVE-2026-48282 is a critical unauthenticated path traversal and arbitrary file write vulnerability in the Remote Development Services (RDS) component of Adobe ColdFusion. The vulnerability allows a remote, unauthenticated attacker to bypass directory boundaries and write arbitrary files, including CFML-based web shells, onto the host server. This flaw is actively exploited in the wild and enables full unauthenticated remote code execution under the privileges of the ColdFusion service account.

Alon Barad
Alon Barad
48 views•6 min read