GHSA-5H2C-8V84-QPVR
Vulnerability from github – Published: 2026-03-03 21:39 – Updated: 2026-03-03 21:39Summary
OpenClaw shell-env fallback trusted startup environment values and could execute attacker-influenced login-shell startup paths before loading env keys.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
>= 2026.1.5and<= 2026.2.21-2 - Fixed on
main:9363c320d8ffe29290906752fab92621da02c3f7 - Planned patched release version (pre-set):
2026.2.22
Details
The vulnerable chain was in the shell-env fallback path:
src/infra/shell-env.tsresolveShell(env)trustedenv.SHELLwhen set.-
execLoginShellEnvZero(...)executed${SHELL} -l -c "env -0"with inherited runtime env. -
src/config/io.ts -
Config env values were applied before shell fallback execution.
-
src/config/env-vars.ts/ env policy coverage SHELLhandling was hardened, but startup-path selectors (HOME,ZDOTDIR) still needed explicit blocking in config env ingestion and sanitization for shell fallback execution.
With env/config influence, this could trigger unintended command execution in shell startup processing on the OpenClaw host process context.
Fix
Mainline hardening now:
- blocks SHELL, HOME, and ZDOTDIR during config env ingestion used by runtime fallback,
- sanitizes shell fallback execution env, pinning HOME to the real user home and dropping ZDOTDIR + dangerous startup vars,
- adds regression tests for config env ingestion and shell fallback/path-probe sanitization.
Fix Commit(s)
9363c320d8ffe29290906752fab92621da02c3f7
Impact
- Local code-execution risk in environments where attacker-controlled env/config input can reach shell-env fallback.
- Under OpenClaw trust assumptions (
SECURITY.md), this is not a public-remote issue and depends on crossing local trusted-operator boundaries.
Release Process Note
patched_versions is intentionally pre-set to the planned next release (2026.2.22) so once npm release is out, maintainers can publish advisory immediately.
OpenClaw thanks @tdjackey for reporting.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.22"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-15",
"CWE-78"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-03T21:39:51Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\nOpenClaw shell-env fallback trusted startup environment values and could execute attacker-influenced login-shell startup paths before loading env keys.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected versions: `\u003e= 2026.1.5` and `\u003c= 2026.2.21-2`\n- Fixed on `main`: `9363c320d8ffe29290906752fab92621da02c3f7`\n- Planned patched release version (pre-set): `2026.2.22`\n\n### Details\nThe vulnerable chain was in the shell-env fallback path:\n\n1. `src/infra/shell-env.ts`\n- `resolveShell(env)` trusted `env.SHELL` when set.\n- `execLoginShellEnvZero(...)` executed `${SHELL} -l -c \"env -0\"` with inherited runtime env.\n\n2. `src/config/io.ts`\n- Config env values were applied before shell fallback execution.\n\n3. `src/config/env-vars.ts` / env policy coverage\n- `SHELL` handling was hardened, but startup-path selectors (`HOME`, `ZDOTDIR`) still needed explicit blocking in config env ingestion and sanitization for shell fallback execution.\n\nWith env/config influence, this could trigger unintended command execution in shell startup processing on the OpenClaw host process context.\n\n### Fix\nMainline hardening now:\n- blocks `SHELL`, `HOME`, and `ZDOTDIR` during config env ingestion used by runtime fallback,\n- sanitizes shell fallback execution env, pinning `HOME` to the real user home and dropping `ZDOTDIR` + dangerous startup vars,\n- adds regression tests for config env ingestion and shell fallback/path-probe sanitization.\n\n### Fix Commit(s)\n- `9363c320d8ffe29290906752fab92621da02c3f7`\n\n### Impact\n- Local code-execution risk in environments where attacker-controlled env/config input can reach shell-env fallback.\n- Under OpenClaw trust assumptions (`SECURITY.md`), this is not a public-remote issue and depends on crossing local trusted-operator boundaries.\n\n### Release Process Note\n`patched_versions` is intentionally pre-set to the planned next release (`2026.2.22`) so once npm release is out, maintainers can publish advisory immediately.\n\nOpenClaw thanks @tdjackey for reporting.",
"id": "GHSA-5h2c-8v84-qpvr",
"modified": "2026-03-03T21:39:51Z",
"published": "2026-03-03T21:39:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-5h2c-8v84-qpvr"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/9363c320d8ffe29290906752fab92621da02c3f7"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "OpenClaw shell-env fallback trusted startup env and could execute attacker-influenced login-shell paths"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.