GHSA-5mh4-3rv3-fpcf

Suggest an improvement
Source
https://github.com/advisories/GHSA-5mh4-3rv3-fpcf
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-5mh4-3rv3-fpcf/GHSA-5mh4-3rv3-fpcf.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-5mh4-3rv3-fpcf
Downstream
Withdrawn
2026-05-06T19:11:41Z
Published
2026-04-28T00:31:41Z
Modified
2026-05-06T19:20:53.399949Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
  • 7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator
Summary
Duplicate Advisory: OpenClaw: Host exec environment sanitization misses package, registry, Docker, compiler, and TLS override variables
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-cg7q-fg22-4g98. This link is maintained to preserve external references.

Original Description

OpenClaw before 2026.3.31 contains insufficient environment variable sanitization in host exec operations, failing to filter package, registry, Docker, compiler, and TLS override variables. Attackers can exploit this by injecting malicious environment variables to override critical system configurations and compromise host execution integrity.

Database specific 
{
    "nvd_published_at": "2026-04-28T00:16:26Z",
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-06T19:11:41Z"
}
References

Affected packages

npm / openclaw

Package

Name
openclaw
View open source insights on deps.dev
Purl
pkg:npm/openclaw

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2026.3.31

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-5mh4-3rv3-fpcf/GHSA-5mh4-3rv3-fpcf.json"