GHSA-hxvm-xjvf-93f3: OpenClaw env namespace

Q: Is GHSA-hxvm-xjvf-93f3 actively exploited?

No confirmed active exploitation of GHSA-hxvm-xjvf-93f3 has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-hxvm-xjvf-93f3?

1. Upgrade openclaw (npm) to 2026.4.20 or later immediately — this is the only full fix. 2. Until patched, audit all workspace .env files for OPENCLAW_-prefixed entries before executing any OpenClaw flows. 3. Do not run OpenClaw from untrusted, externally sourced, or partner-supplied workspaces on unpatched versions. 4. In CI environments, sanitize or strip workspace dotenv variables matching OPENCLAW_* before agent invocation. 5. Monitor OpenClaw execution logs for unexpected git remote targets or installer source changes as a detection signal.

Q: What systems are affected by GHSA-hxvm-xjvf-93f3?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, CI/CD pipelines, developer tooling.

Q: What is the CVSS score for GHSA-hxvm-xjvf-93f3?

No CVSS score has been assigned yet.

CISO Take

OpenClaw's workspace .env loader failed to block the full OPENCLAW_ variable namespace, letting a malicious workspace set variables like OPENCLAW_GIT_DIR to redirect source-update or installer flows during legitimate agent execution. The blast radius is currently narrow — only 4 downstream npm dependents tracked, no public exploit code exists, and there is no CISA KEV listing or EPSS data suggesting active scanning — so opportunistic exploitation is unlikely at this time. The risk concentrates in developer and CI environments where teams routinely open external or partner-supplied workspaces and trigger OpenClaw agent flows from within them, making it a targeted rather than spray-and-pray threat. Upgrade to openclaw 2026.4.20, which reserves the full OPENCLAW_ namespace and rejects conflicting dotenv entries from workspace-controlled files.

Sources: GitHub Advisory ATLAS CISA KEV

What is the risk?

Medium risk overall. Exploitation requires tricking a user or CI pipeline into running OpenClaw from an attacker-controlled workspace — a meaningful precondition that limits opportunistic exploitation. With no public exploit, no KEV entry, and only 4 tracked downstream dependents, immediate blast radius is contained. However, in agentic developer tooling workflows where OpenClaw handles git operations or package installs, successful exploitation could redirect trusted runtime actions to attacker infrastructure, producing outsized downstream consequences relative to the CVE severity label.

How does the attack unfold?

Workspace Preparation

Attacker creates a repository or shareable workspace containing a .env file with OPENCLAW_-prefixed variables (e.g., OPENCLAW_GIT_DIR) pointing to attacker-controlled infrastructure.

AML.T0081

User Execution

Victim developer or CI pipeline clones the malicious workspace and invokes OpenClaw from within it, triggering source-update or installer flows.

AML.T0011

Runtime Hijack

OpenClaw loads workspace .env without blocking the OPENCLAW_ namespace, causing runtime-control variables to be overridden with attacker-supplied values before trusted flows execute.

AML.T0080

Impact

Agent fetches code, binaries, or updates from attacker-controlled sources, enabling arbitrary code execution or credential exfiltration within the trusted OpenClaw runtime context.

AML.T0010.001

Workspace Preparation

Attacker creates a repository or shareable workspace containing a .env file with OPENCLAW_-prefixed variables (e.g., OPENCLAW_GIT_DIR) pointing to attacker-controlled infrastructure.

AML.T0081

User Execution

Victim developer or CI pipeline clones the malicious workspace and invokes OpenClaw from within it, triggering source-update or installer flows.

AML.T0011

Runtime Hijack

OpenClaw loads workspace .env without blocking the OPENCLAW_ namespace, causing runtime-control variables to be overridden with attacker-supplied values before trusted flows execute.

AML.T0080

Impact

Agent fetches code, binaries, or updates from attacker-controlled sources, enabling arbitrary code execution or credential exfiltration within the trusted OpenClaw runtime context.

AML.T0010.001

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	npm	< 2026.4.20	`2026.4.20`
4 dependents 36% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

5 steps

Upgrade openclaw (npm) to 2026.4.20 or later immediately — this is the only full fix.
Until patched, audit all workspace .env files for OPENCLAW_-prefixed entries before executing any OpenClaw flows.
Do not run OpenClaw from untrusted, externally sourced, or partner-supplied workspaces on unpatched versions.
In CI environments, sanitize or strip workspace dotenv variables matching OPENCLAW_* before agent invocation.
Monitor OpenClaw execution logs for unexpected git remote targets or installer source changes as a detection signal.

How is it classified?

Supply Chain Code Execution Agent Plugin AML.T0010.001 - AI Software AML.T0011 - User Execution AML.T0080 - AI Agent Context Poisoning AML.T0081 - Modify AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.6.2.3 - AI system operational environment controls

NIST AI RMF

MANAGE 2.2 - AI system configurations are managed and documented

OWASP LLM Top 10

LLM06 - Excessive Agency

Frequently Asked Questions

What is GHSA-hxvm-xjvf-93f3?

OpenClaw's workspace .env loader failed to block the full OPENCLAW_ variable namespace, letting a malicious workspace set variables like OPENCLAW_GIT_DIR to redirect source-update or installer flows during legitimate agent execution. The blast radius is currently narrow — only 4 downstream npm dependents tracked, no public exploit code exists, and there is no CISA KEV listing or EPSS data suggesting active scanning — so opportunistic exploitation is unlikely at this time. The risk concentrates in developer and CI environments where teams routinely open external or partner-supplied workspaces and trigger OpenClaw agent flows from within them, making it a targeted rather than spray-and-pray threat. Upgrade to openclaw 2026.4.20, which reserves the full OPENCLAW_ namespace and rejects conflicting dotenv entries from workspace-controlled files.

Is GHSA-hxvm-xjvf-93f3 actively exploited?

No confirmed active exploitation of GHSA-hxvm-xjvf-93f3 has been reported, but organizations should still patch proactively.

How to fix GHSA-hxvm-xjvf-93f3?

1. Upgrade openclaw (npm) to 2026.4.20 or later immediately — this is the only full fix. 2. Until patched, audit all workspace .env files for OPENCLAW_-prefixed entries before executing any OpenClaw flows. 3. Do not run OpenClaw from untrusted, externally sourced, or partner-supplied workspaces on unpatched versions. 4. In CI environments, sanitize or strip workspace dotenv variables matching OPENCLAW_* before agent invocation. 5. Monitor OpenClaw execution logs for unexpected git remote targets or installer source changes as a detection signal.

What systems are affected by GHSA-hxvm-xjvf-93f3?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, CI/CD pipelines, developer tooling.

What is the CVSS score for GHSA-hxvm-xjvf-93f3?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksCI/CD pipelinesdeveloper tooling

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011 User Execution

AML.T0080 AI Agent Context Poisoning

AML.T0081 Modify AI Agent Configuration

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: A.6.2.3

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact Workspace `.env` loading did not reserve the `OPENCLAW_` runtime-control namespace broadly enough. A malicious workspace could set variables such as `OPENCLAW_GIT_DIR` before source-update or installer flows, potentially steering trusted OpenClaw runtime behavior. This requires running OpenClaw from an attacker-controlled workspace. Severity is medium. ## Fix OpenClaw now reserves the workspace `OPENCLAW_` environment namespace and rejects workspace dotenv entries for OpenClaw runtime-control variables. Fix commit: - `018494fa3ebb9145112e68b56fe1cb2e9f9a9ed6` ## Release Fixed in OpenClaw `2026.4.20`.

Exploitation Scenario

An attacker publishes a public repository on GitHub or distributes a workspace package via ClawHub containing a crafted .env file with OPENCLAW_GIT_DIR set to an attacker-controlled server. A developer or automated CI job clones the repo and runs OpenClaw from within it — triggering a source-update or installer flow that fetches code or binaries from the attacker's infrastructure instead of the legitimate upstream. The malicious payload executes within the trusted OpenClaw runtime context, enabling credential exfiltration (as seen in AIID #1368), persistent backdoor installation, or lateral movement within the developer's environment.

Weaknesses (CWE)

CWE-184 Incomplete List of Disallowed Inputs Primary

CWE-184 — Incomplete List of Disallowed Inputs: The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.

[Implementation] Do not rely exclusively on detecting disallowed inputs. There are too many variants to encode a character, especially when different environments are used, so there is a high likelihood of missing some variants. Only use detection of disallowed inputs as a mechanism for detecting suspicious activity. Ensure that you are using other protection mechanisms that only identify "good" input - such as lists of allowed inputs - and ensure that you are properly encoding your outputs.

Source: MITRE CWE corpus.