GHSA-mj59-h3q9-ghfh: OpenClaw env var injection

Q: Is GHSA-mj59-h3q9-ghfh actively exploited?

No confirmed active exploitation of GHSA-mj59-h3q9-ghfh has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-mj59-h3q9-ghfh?

1. Patch: Upgrade openclaw to 2026.4.20 immediately — this release filters MCP stdio environment entries through a host environment safety denylist before spawning. 2. Audit: Grep all workspace configuration files for NODE_OPTIONS, LD_PRELOAD, BASH_ENV, and PATH overrides in MCP stdio env blocks; treat any match as a compromise indicator. 3. Policy: Enforce a review gate on externally-sourced workspace configurations — treat workspace config files with the same scrutiny as code. 4. Isolation: Run OpenClaw sessions in containers or VMs to limit blast radius if env var injection succeeds; drop LD_PRELOAD capability from the container profile. 5. Detection: Instrument MCP child process launches to alert on unexpected shared library loads or NODE_OPTIONS-triggered module imports via auditd, Sysmon, or equivalent.

Q: What systems are affected by GHSA-mj59-h3q9-ghfh?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, MCP (Model Context Protocol) tool servers, Local AI coding assistants, Shared workspace environments, Agentic development pipelines.

Q: What is the CVSS score for GHSA-mj59-h3q9-ghfh?

No CVSS score has been assigned yet.

CISO Take

OpenClaw's MCP stdio handler failed to sanitize environment variables before passing them to spawned child processes, allowing a malicious workspace to inject NODE_OPTIONS, LD_PRELOAD, or BASH_ENV and achieve attacker-controlled code execution when an operator starts a session. Exploitation requires an operator to open an attacker-crafted workspace — constraining blast radius to local trust boundaries — but the growing culture of shared workspace templates and community skill repositories (evidenced by AIID #1368, where ~17% of OpenClaw skills in one sample were assessed as malicious) creates realistic distribution vectors that make this more than a theoretical risk. With no public exploit or KEV listing the urgency is moderate, but LD_PRELOAD injection gives full process-level code execution at the operator's privilege, which in agent environments typically means access to every downstream tool credential. Upgrade to openclaw 2026.4.20 and immediately audit workspace MCP stdio configurations for unexpected NODE_OPTIONS, LD_PRELOAD, or BASH_ENV declarations.

Sources: GitHub Advisory ATLAS AIID

What is the risk?

Medium risk with elevated practical impact in agent-heavy deployments. The workspace delivery requirement limits unauthenticated remote exploitation, but the attack class is systematically underestimated — operators routinely import shared configs, and community marketplaces for AI agent workspaces are an immature, lightly-vetted distribution channel. LD_PRELOAD and NODE_OPTIONS injection yield full subprocess code execution at operator privilege level, which in MCP environments typically provides lateral access to all tool credentials, file systems, and connected APIs. The 135 prior CVEs in this package suggest an ongoing pattern of insufficient input validation.

How does the attack unfold?

Workspace Delivery

Attacker publishes a malicious OpenClaw workspace template to a community repository or distributes it via social engineering, embedding an MCP stdio server configuration with NODE_OPTIONS or LD_PRELOAD set to attacker-controlled payload paths.

AML.T0010.005

User Execution

Operator imports the workspace into OpenClaw and starts a coding session that activates the malicious MCP stdio server, triggering OpenClaw to spawn the subprocess with unfiltered attacker-supplied environment variables.

AML.T0011

Code Injection

The OS loader processes NODE_OPTIONS or LD_PRELOAD before any legitimate server logic runs, executing attacker-controlled code silently at MCP subprocess startup with the operator's full process privileges.

AML.T0050

Credential Harvesting

Injected code reads API keys, auth tokens, and secrets from the MCP server environment and agent configuration files, then exfiltrates them to an attacker-controlled endpoint while the operator's session continues normally.

AML.T0083

Workspace Delivery

Attacker publishes a malicious OpenClaw workspace template to a community repository or distributes it via social engineering, embedding an MCP stdio server configuration with NODE_OPTIONS or LD_PRELOAD set to attacker-controlled payload paths.

AML.T0010.005

User Execution

Operator imports the workspace into OpenClaw and starts a coding session that activates the malicious MCP stdio server, triggering OpenClaw to spawn the subprocess with unfiltered attacker-supplied environment variables.

AML.T0011

Code Injection

The OS loader processes NODE_OPTIONS or LD_PRELOAD before any legitimate server logic runs, executing attacker-controlled code silently at MCP subprocess startup with the operator's full process privileges.

AML.T0050

Credential Harvesting

Injected code reads API keys, auth tokens, and secrets from the MCP server environment and agent configuration files, then exfiltrates them to an attacker-controlled endpoint while the operator's session continues normally.

AML.T0083

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	npm	< 2026.4.20	`2026.4.20`
4 dependents 36% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

5 steps

Patch: Upgrade openclaw to 2026.4.20 immediately — this release filters MCP stdio environment entries through a host environment safety denylist before spawning.
Audit: Grep all workspace configuration files for NODE_OPTIONS, LD_PRELOAD, BASH_ENV, and PATH overrides in MCP stdio env blocks; treat any match as a compromise indicator.
Policy: Enforce a review gate on externally-sourced workspace configurations — treat workspace config files with the same scrutiny as code.
Isolation: Run OpenClaw sessions in containers or VMs to limit blast radius if env var injection succeeds; drop LD_PRELOAD capability from the container profile.
Detection: Instrument MCP child process launches to alert on unexpected shared library loads or NODE_OPTIONS-triggered module imports via auditd, Sysmon, or equivalent.

How is it classified?

Supply Chain Code Execution Agent Plugin AML.T0010.005 - AI Agent Tool AML.T0011 - User Execution AML.T0050 - Command and Scripting Interpreter AML.T0081 - Modify AI Agent Configuration AML.T0112.000 - Local AI Agent

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - AI system supply chain 8.7 - AI system security

NIST AI RMF

GOVERN 6.2 - Policies, processes, procedures, and practices across the organization

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is GHSA-mj59-h3q9-ghfh?

OpenClaw's MCP stdio handler failed to sanitize environment variables before passing them to spawned child processes, allowing a malicious workspace to inject NODE_OPTIONS, LD_PRELOAD, or BASH_ENV and achieve attacker-controlled code execution when an operator starts a session. Exploitation requires an operator to open an attacker-crafted workspace — constraining blast radius to local trust boundaries — but the growing culture of shared workspace templates and community skill repositories (evidenced by AIID #1368, where ~17% of OpenClaw skills in one sample were assessed as malicious) creates realistic distribution vectors that make this more than a theoretical risk. With no public exploit or KEV listing the urgency is moderate, but LD_PRELOAD injection gives full process-level code execution at the operator's privilege, which in agent environments typically means access to every downstream tool credential. Upgrade to openclaw 2026.4.20 and immediately audit workspace MCP stdio configurations for unexpected NODE_OPTIONS, LD_PRELOAD, or BASH_ENV declarations.

Is GHSA-mj59-h3q9-ghfh actively exploited?

No confirmed active exploitation of GHSA-mj59-h3q9-ghfh has been reported, but organizations should still patch proactively.

How to fix GHSA-mj59-h3q9-ghfh?

1. Patch: Upgrade openclaw to 2026.4.20 immediately — this release filters MCP stdio environment entries through a host environment safety denylist before spawning. 2. Audit: Grep all workspace configuration files for NODE_OPTIONS, LD_PRELOAD, BASH_ENV, and PATH overrides in MCP stdio env blocks; treat any match as a compromise indicator. 3. Policy: Enforce a review gate on externally-sourced workspace configurations — treat workspace config files with the same scrutiny as code. 4. Isolation: Run OpenClaw sessions in containers or VMs to limit blast radius if env var injection succeeds; drop LD_PRELOAD capability from the container profile. 5. Detection: Instrument MCP child process launches to alert on unexpected shared library loads or NODE_OPTIONS-triggered module imports via auditd, Sysmon, or equivalent.

What systems are affected by GHSA-mj59-h3q9-ghfh?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, MCP (Model Context Protocol) tool servers, Local AI coding assistants, Shared workspace environments, Agentic development pipelines.

What is the CVSS score for GHSA-mj59-h3q9-ghfh?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

AI agent frameworksMCP (Model Context Protocol) tool serversLocal AI coding assistantsShared workspace environmentsAgentic development pipelines

MITRE ATLAS Techniques

AML.T0010.005 AI Agent Tool

AML.T0011 User Execution

AML.T0050 Command and Scripting Interpreter

AML.T0081 Modify AI Agent Configuration

AML.T0112.000 Local AI Agent

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: 8.4, 8.7

NIST AI RMF: GOVERN 6.2

OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact Workspace MCP stdio configuration could pass dangerous process-startup environment variables such as `NODE_OPTIONS`, `LD_PRELOAD`, or `BASH_ENV` to the spawned MCP server process. In a malicious workspace, this could make the MCP child load attacker-controlled code when the operator starts a session that uses that MCP server. The impact is limited to local/workspace trust boundaries and requires the operator to run OpenClaw in a workspace containing the malicious MCP configuration. Severity is therefore medium, not high/critical. ## Fix OpenClaw now filters MCP stdio environment entries through the host environment safety denylist before spawning stdio MCP servers. Fix commits: - `62fa5071896e95edc7f67d1cebc70a2859e283af` - `85d86ebc4bf3d2226d39d132a484f4f7a299fa1b` ## Release Fixed in OpenClaw `2026.4.20`.

Exploitation Scenario

An adversary publishes a polished OpenClaw workspace template to a community marketplace (e.g., a ClawHub-style repository) with an embedded MCP stdio server configuration that sets NODE_OPTIONS='--require /tmp/.x/evil.js' pointing to a payload pre-staged via a companion malicious npm postinstall script. When a developer imports this workspace and starts a coding session, OpenClaw spawns the MCP stdio server subprocess with the attacker's environment intact. The Node.js loader executes evil.js at process startup — before any visible output — harvesting API keys, auth tokens, and SSH credentials from the process environment and MCP agent configuration files, then exfiltrating them to an attacker-controlled endpoint. The operator sees a normal-looking MCP server response and is unaware of the compromise.

Weaknesses (CWE)

CWE-427 Uncontrolled Search Path Element Primary CWE-454 External Initialization of Trusted Variables or Data Stores Primary CWE-829 Inclusion of Functionality from Untrusted Control Sphere Primary

CWE-427 — Uncontrolled Search Path Element: The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.

[Architecture and Design, Implementation] Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.
[Implementation] When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.

Source: MITRE CWE corpus.