GHSA-cm8v-2vh9-cxf3 — LOW

Q: Is GHSA-cm8v-2vh9-cxf3 actively exploited?

No confirmed active exploitation of GHSA-cm8v-2vh9-cxf3 has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-cm8v-2vh9-cxf3?

1. Upgrade openclaw to version 2026.4.8 immediately — this is the only fully remediated path. 2. Until patched, audit shell environments for unexpected values in GIT_DIR, GIT_WORK_TREE, GIT_CONFIG, GIT_EXEC_PATH, and GIT_TEMPLATE_DIR. 3. Launch OpenClaw with a sanitized environment where feasible (e.g., env -i HOME=$HOME PATH=$PATH openclaw) to strip inherited git vars. 4. Inspect .git/hooks directories in all workspaces OpenClaw accesses for unauthorized executables. 5. Given 61 cumulative CVEs in this package, conduct a holistic risk review — consider whether openclaw meets your acceptable risk threshold before continued production use.

Q: What systems are affected by GHSA-cm8v-2vh9-cxf3?

This vulnerability affects the following AI/ML architecture patterns: local AI assistants, agent frameworks, developer tooling pipelines.

Q: What is the CVSS score for GHSA-cm8v-2vh9-cxf3?

No CVSS score has been assigned yet.

CISO Take

OpenClaw fails to strip git plumbing environment variables (GIT_DIR, GIT_WORK_TREE, and related vars) from its exec environment before invoking host git operations, a variant of the previously patched GHSA-m866-6qv5-p2fg. An attacker who can control the shell environment of the user running OpenClaw — through a malicious workspace .env file, poisoned shell profile, or a prompt injection chain — can redirect git operations to an attacker-controlled directory, enabling arbitrary git hook execution and potential credential theft. While severity is rated low with no active KEV or EPSS data, the openclaw package carries 61 known CVEs and AIID #1368 documents real-world abuse of its skills ecosystem to deliver AMOS credential-stealing malware, indicating this is a package with a materially elevated aggregate risk profile. Organizations running OpenClaw should upgrade to version 2026.4.8 immediately, audit shell environments for unexpected GIT_* variables, and review git hook directories in any workspace the agent accesses.

Sources: GitHub Advisory ATLAS CISA KEV

What is the risk?

Formally rated low severity with no CVSS vector, EPSS score, or CISA KEV status, limiting immediate triage urgency. However, aggregate risk is elevated by three compounding factors: 61 known CVEs in the same package, documented real-world ecosystem abuse (AIID #1368), and the agent's privileged filesystem access in typical developer environments. Exploitation requires local environment variable control, which narrows the remote threat surface but is achievable through poisoned configs, malicious repositories, or prompt injection in agentic pipelines where OpenClaw processes untrusted input. The vuln is a known-class issue (missing denylist entry) with a clear fix, reducing novelty risk.

Attack Kill Chain

Environment Poisoning

Attacker injects malicious git plumbing variables (GIT_DIR, GIT_WORK_TREE) into the user's shell environment via a poisoned .env file, compromised shell profile, or prompt injection targeting OpenClaw's input processing.

AML.T0080

Exec Without Sanitization

OpenClaw performs a git operation (update check, workspace scan, skill fetch) and passes the unsanitized environment to the child process; git silently follows the attacker-controlled GIT_DIR instead of the legitimate repository.

AML.T0053

Git Hook Execution

Git triggers hooks (post-checkout, post-merge, etc.) present in the attacker-controlled GIT_DIR, executing arbitrary commands under the developer's user context without user awareness.

AML.T0050

Credential Theft and Persistence

Malicious hooks exfiltrate API keys, SSH credentials, cloud provider tokens, or shell session data from the developer's environment, or install persistent backdoors on the host machine.

AML.T0112.000

Environment Poisoning

Attacker injects malicious git plumbing variables (GIT_DIR, GIT_WORK_TREE) into the user's shell environment via a poisoned .env file, compromised shell profile, or prompt injection targeting OpenClaw's input processing.

AML.T0080

Exec Without Sanitization

OpenClaw performs a git operation (update check, workspace scan, skill fetch) and passes the unsanitized environment to the child process; git silently follows the attacker-controlled GIT_DIR instead of the legitimate repository.

AML.T0053

Git Hook Execution

Git triggers hooks (post-checkout, post-merge, etc.) present in the attacker-controlled GIT_DIR, executing arbitrary commands under the developer's user context without user awareness.

AML.T0050

Credential Theft and Persistence

Malicious hooks exfiltrate API keys, SSH credentials, cloud provider tokens, or shell session data from the developer's environment, or install persistent backdoors on the host machine.

AML.T0112.000

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
openclaw	npm	< 2026.4.8	`2026.4.8`
4 dependents 91% patched ~0d to patch Full package profile →

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

5 steps

Upgrade openclaw to version 2026.4.8 immediately — this is the only fully remediated path.
Until patched, audit shell environments for unexpected values in GIT_DIR, GIT_WORK_TREE, GIT_CONFIG, GIT_EXEC_PATH, and GIT_TEMPLATE_DIR.
Launch OpenClaw with a sanitized environment where feasible (e.g., env -i HOME=$HOME PATH=$PATH openclaw) to strip inherited git vars.
Inspect .git/hooks directories in all workspaces OpenClaw accesses for unauthorized executables.
Given 61 cumulative CVEs in this package, conduct a holistic risk review — consider whether openclaw meets your acceptable risk threshold before continued production use.

Classification

Code Execution Data Extraction Agent Plugin AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0055 - Unsecured Credentials AML.T0081 - Modify AI Agent Configuration AML.T0112.000 - Local AI Agent

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2 - AI System Security

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain deployment of safe and effective AI systems

OWASP LLM Top 10

LLM06:2025 - Excessive Agency

Related AI Incidents (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Unknown malicious actors medium confidence

AIID #1368 documents adversarial abuse of OpenClaw's skills ecosystem to deliver credential-stealing malware (AMOS stealer), with ~17% of audited skills assessed as malicious. This CVE's git env redirection enables the same credential theft outcome via a distinct but related vector within the same package, reinforcing a broader pattern of trust boundary failures in OpenClaw's execution model.

AIID #1368

Source: AI Incident Database (AIID)

Frequently Asked Questions

What is GHSA-cm8v-2vh9-cxf3?

OpenClaw fails to strip git plumbing environment variables (GIT_DIR, GIT_WORK_TREE, and related vars) from its exec environment before invoking host git operations, a variant of the previously patched GHSA-m866-6qv5-p2fg. An attacker who can control the shell environment of the user running OpenClaw — through a malicious workspace .env file, poisoned shell profile, or a prompt injection chain — can redirect git operations to an attacker-controlled directory, enabling arbitrary git hook execution and potential credential theft. While severity is rated low with no active KEV or EPSS data, the openclaw package carries 61 known CVEs and AIID #1368 documents real-world abuse of its skills ecosystem to deliver AMOS credential-stealing malware, indicating this is a package with a materially elevated aggregate risk profile. Organizations running OpenClaw should upgrade to version 2026.4.8 immediately, audit shell environments for unexpected GIT_* variables, and review git hook directories in any workspace the agent accesses.

Is GHSA-cm8v-2vh9-cxf3 actively exploited?

No confirmed active exploitation of GHSA-cm8v-2vh9-cxf3 has been reported, but organizations should still patch proactively.

How to fix GHSA-cm8v-2vh9-cxf3?

1. Upgrade openclaw to version 2026.4.8 immediately — this is the only fully remediated path. 2. Until patched, audit shell environments for unexpected values in GIT_DIR, GIT_WORK_TREE, GIT_CONFIG, GIT_EXEC_PATH, and GIT_TEMPLATE_DIR. 3. Launch OpenClaw with a sanitized environment where feasible (e.g., env -i HOME=$HOME PATH=$PATH openclaw) to strip inherited git vars. 4. Inspect .git/hooks directories in all workspaces OpenClaw accesses for unauthorized executables. 5. Given 61 cumulative CVEs in this package, conduct a holistic risk review — consider whether openclaw meets your acceptable risk threshold before continued production use.

What systems are affected by GHSA-cm8v-2vh9-cxf3?

This vulnerability affects the following AI/ML architecture patterns: local AI assistants, agent frameworks, developer tooling pipelines.

What is the CVSS score for GHSA-cm8v-2vh9-cxf3?

No CVSS score has been assigned yet.

AI Security Impact

Affected AI Architectures

local AI assistantsagent frameworksdeveloper tooling pipelines

MITRE ATLAS Techniques

AML.T0050 Command and Scripting Interpreter

AML.T0053 AI Agent Tool Invocation

AML.T0055 Unsecured Credentials

AML.T0081 Modify AI Agent Configuration

AML.T0112.000 Local AI Agent

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.6.2

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM06:2025

Technical Details

Original Advisory

## Impact GIT_DIR and related git plumbing env vars missing from exec env denylist (GHSA-m866-6qv5-p2fg variant). Git plumbing environment variables were not removed before host exec and could redirect Git operations. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<=2026.3.30` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @boy-hack of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting.

Exploitation Scenario

An adversary compromises a developer's workspace by injecting a malicious .env file into a project directory that sets GIT_DIR=/tmp/attacker-repo. When the developer's OpenClaw session performs any git operation — checking for skill updates, reading repository context, or fetching workspace metadata — git silently follows GIT_DIR to the attacker's repository. A malicious post-checkout or post-merge hook in that directory executes arbitrary commands under the developer's account, exfiltrating API keys, SSH credentials, or cloud provider tokens stored in the environment. In fully agentic contexts, this could be triggered remotely if OpenClaw processes untrusted external input (e.g., a user-supplied prompt referencing a malicious repo) that results in a git operation being performed.