OpenClaw fails to strip git plumbing environment variables (GIT_DIR, GIT_WORK_TREE, and related vars) from its exec environment before invoking host git operations, a variant of the previously patched GHSA-m866-6qv5-p2fg. An attacker who can control the shell environment of the user running OpenClaw — through a malicious workspace .env file, poisoned shell profile, or a prompt injection chain — can redirect git operations to an attacker-controlled directory, enabling arbitrary git hook execution and potential credential theft. While severity is rated low with no active KEV or EPSS data, the openclaw package carries 61 known CVEs and AIID #1368 documents real-world abuse of its skills ecosystem to deliver AMOS credential-stealing malware, indicating this is a package with a materially elevated aggregate risk profile. Organizations running OpenClaw should upgrade to version 2026.4.8 immediately, audit shell environments for unexpected GIT_* variables, and review git hook directories in any workspace the agent accesses.
What is the risk?
Formally rated low severity with no CVSS vector, EPSS score, or CISA KEV status, limiting immediate triage urgency. However, aggregate risk is elevated by three compounding factors: 61 known CVEs in the same package, documented real-world ecosystem abuse (AIID #1368), and the agent's privileged filesystem access in typical developer environments. Exploitation requires local environment variable control, which narrows the remote threat surface but is achievable through poisoned configs, malicious repositories, or prompt injection in agentic pipelines where OpenClaw processes untrusted input. The vuln is a known-class issue (missing denylist entry) with a clear fix, reducing novelty risk.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| OpenClaw | npm | < 2026.4.8 | 2026.4.8 |
Do you use OpenClaw? You're affected.
How severe is it?
What should I do?
5 steps-
Upgrade openclaw to version 2026.4.8 immediately — this is the only fully remediated path.
-
Until patched, audit shell environments for unexpected values in GIT_DIR, GIT_WORK_TREE, GIT_CONFIG, GIT_EXEC_PATH, and GIT_TEMPLATE_DIR.
-
Launch OpenClaw with a sanitized environment where feasible (e.g., env -i HOME=$HOME PATH=$PATH openclaw) to strip inherited git vars.
-
Inspect .git/hooks directories in all workspaces OpenClaw accesses for unauthorized executables.
-
Given 61 cumulative CVEs in this package, conduct a holistic risk review — consider whether openclaw meets your acceptable risk threshold before continued production use.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is GHSA-cm8v-2vh9-cxf3?
OpenClaw fails to strip git plumbing environment variables (GIT_DIR, GIT_WORK_TREE, and related vars) from its exec environment before invoking host git operations, a variant of the previously patched GHSA-m866-6qv5-p2fg. An attacker who can control the shell environment of the user running OpenClaw — through a malicious workspace .env file, poisoned shell profile, or a prompt injection chain — can redirect git operations to an attacker-controlled directory, enabling arbitrary git hook execution and potential credential theft. While severity is rated low with no active KEV or EPSS data, the openclaw package carries 61 known CVEs and AIID #1368 documents real-world abuse of its skills ecosystem to deliver AMOS credential-stealing malware, indicating this is a package with a materially elevated aggregate risk profile. Organizations running OpenClaw should upgrade to version 2026.4.8 immediately, audit shell environments for unexpected GIT_* variables, and review git hook directories in any workspace the agent accesses.
Is GHSA-cm8v-2vh9-cxf3 actively exploited?
No confirmed active exploitation of GHSA-cm8v-2vh9-cxf3 has been reported, but organizations should still patch proactively.
How to fix GHSA-cm8v-2vh9-cxf3?
1. Upgrade openclaw to version 2026.4.8 immediately — this is the only fully remediated path. 2. Until patched, audit shell environments for unexpected values in GIT_DIR, GIT_WORK_TREE, GIT_CONFIG, GIT_EXEC_PATH, and GIT_TEMPLATE_DIR. 3. Launch OpenClaw with a sanitized environment where feasible (e.g., env -i HOME=$HOME PATH=$PATH openclaw) to strip inherited git vars. 4. Inspect .git/hooks directories in all workspaces OpenClaw accesses for unauthorized executables. 5. Given 61 cumulative CVEs in this package, conduct a holistic risk review — consider whether openclaw meets your acceptable risk threshold before continued production use.
What systems are affected by GHSA-cm8v-2vh9-cxf3?
This vulnerability affects the following AI/ML architecture patterns: local AI assistants, agent frameworks, developer tooling pipelines.
What is the CVSS score for GHSA-cm8v-2vh9-cxf3?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0050 Command and Scripting Interpreter AML.T0053 AI Agent Tool Invocation AML.T0055 Unsecured Credentials AML.T0081 Modify AI Agent Configuration AML.T0112.000 Local AI Agent Compliance Controls Affected
What are the technical details?
Original Advisory
## Impact GIT_DIR and related git plumbing env vars missing from exec env denylist (GHSA-m866-6qv5-p2fg variant). Git plumbing environment variables were not removed before host exec and could redirect Git operations. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<=2026.3.30` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @boy-hack of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting.
Exploitation Scenario
An adversary compromises a developer's workspace by injecting a malicious .env file into a project directory that sets GIT_DIR=/tmp/attacker-repo. When the developer's OpenClaw session performs any git operation — checking for skill updates, reading repository context, or fetching workspace metadata — git silently follows GIT_DIR to the attacker's repository. A malicious post-checkout or post-merge hook in that directory executes arbitrary commands under the developer's account, exfiltrating API keys, SSH credentials, or cloud provider tokens stored in the environment. In fully agentic contexts, this could be triggered remotely if OpenClaw processes untrusted external input (e.g., a user-supplied prompt referencing a malicious repo) that results in a git operation being performed.
Weaknesses (CWE)
CWE-184 Incomplete List of Disallowed Inputs
Primary
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Primary
CWE-184 — Incomplete List of Disallowed Inputs: The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.
- [Implementation] Do not rely exclusively on detecting disallowed inputs. There are too many variants to encode a character, especially when different environments are used, so there is a high likelihood of missing some variants. Only use detection of disallowed inputs as a mechanism for detecting suspicious activity. Ensure that you are using other protection mechanisms that only identify "good" input - such as lists of allowed inputs - and ensure that you are properly encoding your outputs.
Source: MITRE CWE corpus.
References
Timeline
Related Vulnerabilities
CVE-2026-33579 9.9 OpenClaw: scope bypass escalates low-priv to admin
Same package: openclaw CVE-2026-32922 9.9 OpenClaw: privilege escalation to RCE via token scope bypass
Same package: openclaw CVE-2026-30741 9.8 OpenClaw: RCE via request-side prompt injection
Same package: openclaw CVE-2026-32038 9.8 OpenClaw: sandbox bypass enables container lateral movement
Same package: openclaw CVE-2026-53838 9.8 OpenClaw: approval scope bypass via reconnection state
Same package: openclaw