GHSA-cm8v-2vh9-cxf3: Remote Code Execution via Incomplete Environment Variable Denylist in OpenClaw

OpenClaw is an AI assistant tool available as an npm package. It provides functionality to execute shell commands on the host system to perform tasks such as file management and build processes. To mitigate command injection and execution risks, the application implements a security policy that sanitizes environment variables passed to child processes.

The security enforcement mechanisms rely on a blocklist approach defined within the src/infra/host-env-security-policy.json configuration file. The underlying enforcement logic is implemented in src/infra/host-env-security.ts. This sanitization process strips known dangerous variables, such as LD_PRELOAD, before executing external commands.

Vulnerability GHSA-cm8v-2vh9-cxf3 represents a failure in this blocklist mechanism, categorized as CWE-184: Incomplete List of Disallowed Elements. The blocklist omitted several Git-specific plumbing environment variables. This omission provides an avenue for attackers to manipulate the execution context of legitimate tools invoked by OpenClaw.

The vulnerability originates from the incomplete nature of the environment variable denylist used during command execution. While the application successfully blocked common exploitation vectors like library preloading, it failed to account for tool-specific configuration variables. This is part of a broader class of build tool environment injection vulnerabilities discovered in early 2026.

The core issue lies in the omission of Git plumbing variables, specifically GIT_DIR, GIT_WORK_TREE, GIT_INDEX_FILE, GIT_OBJECT_DIRECTORY, and GIT_ALTERNATE_OBJECT_DIRECTORIES. These variables define the foundational paths and state mechanisms that the Git binary relies on during execution. When these variables are externally controlled, they override the standard behavior of the Git executable.

By manipulating GIT_DIR, an attacker specifies an arbitrary directory as the root of the Git repository. The Git executable will then read configuration files and hook scripts from this attacker-controlled directory rather than the legitimate workspace. This redirection fundamentally breaks the trust boundary between the OpenClaw execution environment and the host system.

The vulnerable implementation utilized a static JSON array to define forbidden environment variables. Prior to version 2026.4.8, this array missed the critical Git plumbing variables. The oversight allowed malicious values to pass through the host-env-security.ts filter unhindered.

The following code block illustrates the state of src/infra/host-env-security-policy.json before the patch. The array lacks the necessary Git-specific entries.

{
  "blockedEnvironmentVariables": [
    "LD_PRELOAD",
    "LD_LIBRARY_PATH",
    "NODE_OPTIONS",
    "PYTHONPATH"
  ]
}

The patch introduced in version 2026.4.8 explicitly adds the missing Git variables to the denylist. This update ensures that any exec request attempting to set these variables is intercepted and sanitized.

{
  "blockedEnvironmentVariables": [
    "LD_PRELOAD",
    "LD_LIBRARY_PATH",
    "NODE_OPTIONS",
    "PYTHONPATH",
    "GIT_DIR",
    "GIT_WORK_TREE",
    "GIT_INDEX_FILE",
    "GIT_OBJECT_DIRECTORY",
    "GIT_ALTERNATE_OBJECT_DIRECTORIES"
  ]
}

While this patch remediates the immediate vulnerability, relying exclusively on a denylist remains an inherent architectural weakness. The application must continually update this list as new tools and environment variables are introduced. A more resilient approach would involve a strict allowlist of permitted environment variables.

Exploitation requires the attacker to influence the environment variables passed to an exec call within OpenClaw. This can be achieved through a malicious skill, a compromised plugin, or crafted user input that interacts with the command execution pipeline. The attacker first prepares a malicious directory on the host system or relies on an existing writable path.

The attacker populates this directory with a .git/hooks/ structure containing an executable script, such as a pre-commit or post-checkout hook. The payload within the hook script contains the arbitrary commands the attacker wishes to execute. The attacker then submits a request to OpenClaw that injects the GIT_DIR environment variable, pointing it to the prepared directory.

When OpenClaw subsequently executes any legitimate Git command as part of its normal operation, the Git binary parses the injected GIT_DIR variable. It redirects its execution context to the attacker's directory and executes the malicious hook script. This results in arbitrary code execution within the context of the OpenClaw application process.

Successful exploitation of this vulnerability yields arbitrary code execution on the host system running OpenClaw. The executed code runs with the privileges of the OpenClaw process. This access allows the attacker to compromise the confidentiality, integrity, and availability of the underlying system.

In terms of confidentiality, the attacker gains the ability to read sensitive files, including source code, configuration files, and credentials stored on the host. Integrity is compromised as the attacker can modify application state, tamper with source repositories, or back-door the system. Availability is affected as the attacker can terminate processes, delete critical files, or consume system resources.

The complexity of the attack is relatively high, as it requires the attacker to find a reliable method to inject environment variables into the execution pipeline and chain it with a subsequent Git command execution. However, the privileges required are low, as any approved execution request or malicious plugin can potentially trigger the flaw.

The primary remediation strategy is to upgrade the OpenClaw npm package to version 2026.4.8 or later. This version contains the comprehensive fix for the build tool injection class of vulnerabilities, including the addition of the missing Git plumbing variables to the security policy denylist. Development teams should integrate this update into their dependency management pipelines immediately.

If an immediate upgrade is not feasible, administrators can implement mitigating controls by restricting the application's ability to execute shell commands. This may involve disabling specific plugins or skills that rely on host command execution. Additionally, running the OpenClaw process within a restricted environment, such as a strictly configured container or a sandbox with limited file system access, can contain the impact of successful exploitation.

Security and development teams should review custom application logic that interacts with exec or spawn functions. Ensuring that environment variables are strictly sanitized or, preferably, validated against a minimal allowlist is critical for preventing similar injection vulnerabilities. Continuous monitoring for anomalous child process execution can also aid in detecting exploitation attempts.