GHSA-jccr-rrw2-vc8h: OpenClaw safeBins jq `$ENV` filter bypass allows environment variable disclosure

March 31, 2026 (updated April 8, 2026)

The jq safe-bin policy blocked explicit env usage but still allowed jq programs that accessed environment data through $ENV.

References

github.com/advisories/GHSA-jccr-rrw2-vc8h
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/78e2f3d66d74e5c7e6f45c54162e63986e39771b
github.com/openclaw/openclaw/security/advisories/GHSA-jccr-rrw2-vc8h

Code Behaviors & Features

Detect and mitigate GHSA-jccr-rrw2-vc8h with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →