GHSA-2fgq-7j6h-9rm4

Summary

system.run allowed SHELLOPTS + PS4 environment injection to trigger command substitution during bash -lc xtrace expansion before the allowlisted command body executed.

Affected Packages / Versions

• Package: openclaw (npm)
• Affected: <= 2026.2.21-2 (includes latest published npm version at triage time)
• Patched (planned next release): 2026.2.22

Impact

In allowlist mode, an attacker who can invoke system.run with request-scoped env could execute additional shell commands outside the intended allowlisted command body.

Root Cause

Host exec env sanitization blocked startup-file vectors (BASH_ENV, ENV, etc.) but did not block SHELLOPTS/PS4. For shell wrappers (bash|sh|zsh ... -c/-lc), request env overrides were passed through and bash evaluated PS4 under xtrace, enabling command substitution.

Fix

• Block SHELLOPTS and PS4 in host exec env sanitizers (Node + macOS).
• For shell wrappers (bash|sh|zsh ... -c/-lc), reduce request-scoped env overrides to an explicit allowlist (TERM, LANG, LC_*, COLORTERM, NO_COLOR, FORCE_COLOR).
• Add regression tests for TS and macOS paths.

Fix Commit(s)

• e80c803fa887f9699ad87a9e906ab5c1ff85bd9a

Release Process Note

patched_versions is pre-set to the planned next release (2026.2.22). Once npm release 2026.2.22 is published, advisory publication is a final state action only.

Severity Rationale

This advisory is rated medium because exploitation requires a caller that can already invoke system.run with request-scoped env.

Under OpenClaw's documented trust model (SECURITY.md), authenticated Gateway callers are treated as trusted operators, and adversarial multi-operator / prompt-injection scenarios are out of scope.

The bug remains a real allowlist-intent bypass, but it does not cross a separate trust boundary in the documented deployment assumptions.

OpenClaw thanks @tdjackey for reporting.