GHSA-j6c7-3h5x-99g9
Suggest an improvement- Source
- https://github.com/advisories/GHSA-j6c7-3h5x-99g9
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-j6c7-3h5x-99g9/GHSA-j6c7-3h5x-99g9.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-j6c7-3h5x-99g9
- Aliases
-
- CVE-2026-42435
- Downstream
- Published
- 2026-04-17T21:53:36Z
- Modified
- 2026-05-05T11:48:45Z
- Severity
-
- 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- OpenClaw: Shell-wrapper detection missed env-argv assignment injection forms
- Details
-
Summary
Shell-wrapper detection missed env-argv assignment injection forms.
Affected Packages / Versions
- Package:
openclaw - Ecosystem: npm
- Affected versions:
>= 2026.2.22 < 2026.4.12 - Patched versions:
>= 2026.4.12
Impact
Exec preflight handling missed shell-wrapper and argv-level environment assignment forms that could affect execution semantics, including high-risk shell environment controls.
Technical Details
The fix broadens shell-wrapper detection and blocks environment assignments in argv forms. High-risk shell variables such as
SHELLOPTSandPS4are covered by the host environment security policy.Fix
The issue was fixed in #65717. The first stable tag containing the fix is
v2026.4.12, andopenclaw@2026.4.14includes the fix.Fix Commit(s)
8f8492d172f4c5b4fd7dd9a47855ed620c8770ab- PR: #65717
Release Process Note
Users should upgrade to
openclaw2026.4.12 or newer. The latest npm release,2026.4.14, already includes the fix.Credits
Thanks to @decsecre583 for reporting this issue.
- Package:
- Database specific
{ "cwe_ids": [ "CWE-78" ], "github_reviewed": true, "github_reviewed_at": "2026-04-17T21:53:36Z", "nvd_published_at": null, "severity": "MODERATE" }- References
Affected packages
npm / openclaw
Package
- Name
- openclaw
- View open source insights on deps.dev
- Purl
- pkg:npm/openclaw