GHSA-98ch-45wp-ch47: OpenClaw: approval bypass via env key normalization gap

Published April 7, 2026

CISO Take

OpenClaw's system-run approval binding normalizes Windows-compatible environment variable keys differently from how the host executes them, creating a gap where attacker-injected env overrides never appear in the approval record yet take effect at runtime. For organizations using OpenClaw as a human-in-the-loop safety control in agentic pipelines, this directly undermines the integrity of that approval mechanism — approved commands can silently run with attacker-chosen environment overrides. No public exploit is available and this is not in CISA KEV, but the pattern of 37 CVEs in this package signals systemic security debt warranting close scrutiny of any OpenClaw deployment. Patch to openclaw >= 2026.4.2 immediately, prioritizing Windows-hosted deployments, and treat approval records generated by affected versions as potentially unreliable for compliance evidence.

Sources: GitHub Advisory ATLAS

Risk Assessment

Medium severity with disproportionate impact for AI agent security posture. The core risk is not raw technical severity but trust violation: approval mechanisms in agentic AI are often the primary human-in-the-loop safety control, and undermining them can cascade into unauthorized tool execution, credential exposure, or lateral movement within agent-accessible systems. Windows deployments are uniquely vulnerable due to case-insensitive env key handling. The 37 other CVEs in openclaw suggest a package with systemic security debt that security teams should treat with elevated suspicion.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
openclaw	npm	<= 2026.4.1	`2026.4.2`

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

Recommended Action

Upgrade openclaw to >= 2026.4.2 immediately — the fix aligns approval binding with execution-time env-key normalization (commit 7eb094a).
If patching is not immediately possible, restrict Windows-specific env key patterns in approval-bound workflows and treat all approvals as unverified.
Audit existing approval logs for commands where execution environment may have differed from the approved binding — look for Windows-compatible key formats in recent approval records.
For compliance purposes, treat any approval records generated under affected versions (<= 2026.4.1) as potentially compromised and document the gap in your risk register.
Implement env variable sanitization at the orchestration layer as defense-in-depth, independent of OpenClaw's internal normalization.

Classification

Auth Bypass Code Execution Agent Framework AML.T0010.005 - AI Agent Tool AML.T0053 - AI Agent Tool Invocation AML.T0081 - Modify AI Agent Configuration AML.T0107 - Exploitation for Defense Evasion

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk Management System

ISO 42001

A.6.1.5 - AI System Integrity

NIST AI RMF

GOVERN-1.7 - Processes for AI Risk Management

OWASP LLM Top 10

LLM08 - Excessive Agency

Related AI Incidents (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Unknown malicious actors medium confidence

Both involve OpenClaw's security model being abused to execute unauthorized actions. The approval bypass vulnerability could enable the same class of credential exfiltration seen in the AMOS stealer incident by allowing malicious environment overrides — including credential-bearing env vars — to execute undetected through the approval mechanism.

AIID #1368

Source: AI Incident Database (AIID)

Technical Details

NVD Description

## Summary Before OpenClaw 2026.4.2, system-run approval binding normalized environment override keys differently from host execution. Windows-compatible keys could be omitted from the approval binding while still being injected at execution time. ## Impact An approved command could run with attacker-chosen environment overrides that were not represented in the approval binding. This created an approval-integrity gap for affected host-exec flows. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `7eb094a00d80e9f6bf0e62f2c45d3b88ff67c04d` — align approval binding with execution-time env-key normalization ## Release Process Note The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live. Thanks @iskindar for reporting, and thanks @wsparks-vc for coordination.

Exploitation Scenario

An attacker with write access to the execution environment — through a compromised CI/CD pipeline, a poisoned upstream tool, or an existing foothold on the Windows host — crafts environment variable keys using Windows-compatible naming conventions that OpenClaw's approval normalizer strips out during binding review. A legitimate approver sees a clean command with no suspicious env overrides and grants approval. At execution time, those keys are still injected by the host, allowing the attacker to override PATH (redirecting execution to a malicious binary), inject proxy credentials for traffic interception, or point API endpoint variables to attacker-controlled infrastructure. The approval record shows nothing anomalous, providing the attacker with both execution and a falsified audit trail.