GHSA-82g8-464f-2mv7
Suggest an improvement- Source
- https://github.com/advisories/GHSA-82g8-464f-2mv7
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-82g8-464f-2mv7/GHSA-82g8-464f-2mv7.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-82g8-464f-2mv7
- Aliases
- Downstream
- Published
- 2026-02-27T21:36:17Z
- Modified
- 2026-03-14T05:19:43.315252Z
- Severity
-
- 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- OpenClaw: Skill env override host env injection via applySkillConfigEnvOverrides (defense-in-depth)
- Details
-
Summary
applySkillConfigEnvOverridespreviously copiedskills.entries.*.envvalues into the hostprocess.envwithout applying the host env safety policy.Impact
In affected versions, dangerous process-level variables such as
NODE_OPTIONScould be injected when unset, which can influence runtime/child-process behavior.Required attacker capability
An attacker must be able to modify OpenClaw local state/config (for example
~/.openclaw/openclaw.json) to setskills.entries.<skill>.envor related skill config values.Remediation
Fixed in
2026.2.21by sanitizing skill env overrides and blocking dangerous host env keys (includingNODE_OPTIONS) before applying overrides, with regression tests covering blocked dangerous keys.Fix Commit(s)
8c9f35cdb51692b650ddf05b259ccdd75cc9a83c
Found using MCPwner
- Database specific
{ "cwe_ids": [ "CWE-1341", "CWE-15", "CWE-94" ], "github_reviewed": true, "nvd_published_at": null, "severity": "MODERATE", "github_reviewed_at": "2026-02-27T21:36:17Z" }- References
-
- https://github.com/openclaw/openclaw/security/advisories/GHSA-82g8-464f-2mv7
- https://nvd.nist.gov/vuln/detail/CVE-2026-4039
- https://github.com/openclaw/openclaw/commit/8c9f35cdb51692b650ddf05b259ccdd75cc9a83c
- https://github.com/openclaw/openclaw
- https://github.com/openclaw/openclaw/releases/tag/v2026.2.21
Affected packages
npm / openclaw
Package
- Name
- openclaw
- View open source insights on deps.dev
- Purl
- pkg:npm/openclaw