GHSA-42mx-vp8m-j7qh: OpenClaw: OpenShell `mirror` mode can convert untrusted sandbox files into explicitly enabled workspace hooks and execute them on the host during gateway startup

April 7, 2026

OpenShell mirror mode can convert untrusted sandbox files into explicitly enabled workspace hooks and execute them on the host during gateway startup

References

github.com/advisories/GHSA-42mx-vp8m-j7qh
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/c02ee8a3a4cb390b23afdf21317aa8b2096854d1
github.com/openclaw/openclaw/security/advisories/GHSA-42mx-vp8m-j7qh

Code Behaviors & Features

Detect and mitigate GHSA-42mx-vp8m-j7qh with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →