GHSA-5mh4-3rv3-fpcf: Duplicate Advisory: OpenClaw: Host exec environment sanitization misses package, registry, Docker, compiler, and TLS override variables
(updated )
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-cg7q-fg22-4g98. This link is maintained to preserve external references.
Original Description
OpenClaw before 2026.3.31 contains insufficient environment variable sanitization in host exec operations, failing to filter package, registry, Docker, compiler, and TLS override variables. Attackers can exploit this by injecting malicious environment variables to override critical system configurations and compromise host execution integrity.
References
- github.com/advisories/GHSA-5mh4-3rv3-fpcf
- github.com/openclaw/openclaw/commit/eb8de6715f02949c21c4e895fffc8a6dcb00975c
- github.com/openclaw/openclaw/security/advisories/GHSA-cg7q-fg22-4g98
- nvd.nist.gov/vuln/detail/CVE-2026-41369
- www.vulncheck.com/advisories/openclaw-insufficient-environment-variable-sanitization-in-host-execution
Code Behaviors & Features
Detect and mitigate GHSA-5mh4-3rv3-fpcf with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →