GHSA-98ch-45wp-ch47: OpenClaw: Windows-compatible env override keys could bypass system.run approval binding

April 7, 2026

Before OpenClaw 2026.4.2, system-run approval binding normalized environment override keys differently from host execution. Windows-compatible keys could be omitted from the approval binding while still being injected at execution time.

References

github.com/advisories/GHSA-98ch-45wp-ch47
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/7eb094a00d80e9f6bf0e62f2c45d3b88ff67c04d
github.com/openclaw/openclaw/security/advisories/GHSA-98ch-45wp-ch47

Code Behaviors & Features

Detect and mitigate GHSA-98ch-45wp-ch47 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →