GHSA-vfp4-8x56-j7c5: OpenClaw env denylist bypass

CISO Take

openclaw's exec environment sandbox failed to block high-risk interpreter startup variables—VIMINIT, EXINIT, LUA_INIT, and HOSTALIASES—allowing any operator-supplied environment override to execute arbitrary commands or manipulate DNS resolution in downstream agent processes. This matters because the exec policy is openclaw's primary security boundary; a gap here means untrusted or compromised inputs can escape the intended sandbox, and with 135 CVEs already filed against this package, the attack surface is under sustained scrutiny by security researchers. Tencent's AI-Infra-Guard team disclosed this alongside documented active abuse of openclaw's skills ecosystem (AIID #1368), confirming that threat actors are actively probing openclaw deployments. Teams running openclaw must upgrade to version 2026.4.10 or later (latest stable: 2026.4.14) immediately; if upgrades are not feasible, explicitly unset VIMINIT, EXINIT, LUA_INIT, and HOSTALIASES from any environment passed to openclaw agent processes and run agents in hardened containers with minimal inherited environment.

Sources: GitHub Advisory ATLAS

What is the risk?

High severity. The vulnerability is an incomplete denylist (CWE-184) that is straightforward to exploit once an adversary can supply or influence environment variables—a realistic condition in multi-tenant AI agent deployments or any platform exposing operator-configurable execution contexts. While no public exploit or CISA KEV entry exists yet, the abuse pattern is well-understood (interpreter startup variable injection) and requires only moderate knowledge. The history of 135 CVEs in this package, active third-party security research from Tencent, and a documented malicious-skills incident in the same ecosystem elevate exploitation probability above base rate.

How does the attack unfold?

Environment Injection

Adversary with operator access sets malicious interpreter startup variables (LUA_INIT, VIMINIT, HOSTALIASES) in the process environment before openclaw agent execution.

AML.T0081

Denylist Bypass

openclaw's exec environment policy fails to strip the injected high-risk variables, passing them unchecked into the subprocess execution context.

AML.T0107

Interpreter Hijack

On process startup, Lua or Vim interpreters consume the malicious initialization variables and execute adversary-controlled commands or scripts within the agent's process.

AML.T0050

Code Execution or Network Manipulation

Adversary achieves arbitrary code execution in the agent's context or redirects internal DNS via HOSTALIASES to intercept model API calls and exfiltrate credentials.

AML.T0105

Environment Injection

Adversary with operator access sets malicious interpreter startup variables (LUA_INIT, VIMINIT, HOSTALIASES) in the process environment before openclaw agent execution.

AML.T0081

Denylist Bypass

openclaw's exec environment policy fails to strip the injected high-risk variables, passing them unchecked into the subprocess execution context.

AML.T0107

Interpreter Hijack

On process startup, Lua or Vim interpreters consume the malicious initialization variables and execute adversary-controlled commands or scripts within the agent's process.

AML.T0050

Code Execution or Network Manipulation

Adversary achieves arbitrary code execution in the agent's context or redirects internal DNS via HOSTALIASES to intercept model API calls and exfiltrate credentials.

AML.T0105

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	npm	< 2026.4.10	`2026.4.10`
4 dependents 36% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

6 steps

Upgrade openclaw to >= 2026.4.10 (latest stable: 2026.4.14) — this is the only complete fix.
If immediate upgrade is blocked, explicitly unset VIMINIT, EXINIT, LUA_INIT, HOSTALIASES, and related interpreter startup variables from any environment passed to openclaw processes.
Run openclaw agents in hardened containers with a minimal, explicitly-defined environment and no inherited shell variables from the host.
Audit all operator-facing configuration surfaces that allow environment variable injection into agent processes.
If running a custom build, verify fix commit 2d126fc62343a7b6895351f96e4e1474bc358140 or PR #63277 is included.
Review deployment logs for anomalous process spawns or unexpected outbound DNS queries that may indicate prior exploitation.

How is it classified?

Code Execution Auth Bypass Agent Plugin AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0105 - Escape to Host AML.T0107 - Exploitation for Defense Evasion

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, Robustness and Cybersecurity Article 15 - Accuracy, Robustness and Cybersecurity Article 9 - Risk Management System

ISO 42001

6.1.2 - AI Risk Treatment 8.4 - AI System Security and Safety A.9.3 - AI System Security

NIST AI RMF

MANAGE 2.2 - Mechanisms to Sustain Treatment of AI Risks MANAGE-2.2 - Risk Treatment and Response

OWASP LLM Top 10

LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Frequently Asked Questions

What is GHSA-vfp4-8x56-j7c5?

openclaw's exec environment sandbox failed to block high-risk interpreter startup variables—VIMINIT, EXINIT, LUA_INIT, and HOSTALIASES—allowing any operator-supplied environment override to execute arbitrary commands or manipulate DNS resolution in downstream agent processes. This matters because the exec policy is openclaw's primary security boundary; a gap here means untrusted or compromised inputs can escape the intended sandbox, and with 135 CVEs already filed against this package, the attack surface is under sustained scrutiny by security researchers. Tencent's AI-Infra-Guard team disclosed this alongside documented active abuse of openclaw's skills ecosystem (AIID #1368), confirming that threat actors are actively probing openclaw deployments. Teams running openclaw must upgrade to version 2026.4.10 or later (latest stable: 2026.4.14) immediately; if upgrades are not feasible, explicitly unset VIMINIT, EXINIT, LUA_INIT, and HOSTALIASES from any environment passed to openclaw agent processes and run agents in hardened containers with minimal inherited environment.

Is GHSA-vfp4-8x56-j7c5 actively exploited?

No confirmed active exploitation of GHSA-vfp4-8x56-j7c5 has been reported, but organizations should still patch proactively.

How to fix GHSA-vfp4-8x56-j7c5?

1. Upgrade openclaw to >= 2026.4.10 (latest stable: 2026.4.14) — this is the only complete fix. 2. If immediate upgrade is blocked, explicitly unset VIMINIT, EXINIT, LUA_INIT, HOSTALIASES, and related interpreter startup variables from any environment passed to openclaw processes. 3. Run openclaw agents in hardened containers with a minimal, explicitly-defined environment and no inherited shell variables from the host. 4. Audit all operator-facing configuration surfaces that allow environment variable injection into agent processes. 5. If running a custom build, verify fix commit 2d126fc62343a7b6895351f96e4e1474bc358140 or PR #63277 is included. 6. Review deployment logs for anomalous process spawns or unexpected outbound DNS queries that may indicate prior exploitation.

What systems are affected by GHSA-vfp4-8x56-j7c5?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, Automated execution environments, Multi-agent orchestration pipelines, AI-powered CI/CD pipelines.

What is the CVSS score for GHSA-vfp4-8x56-j7c5?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

AI agent frameworksAutomated execution environmentsMulti-agent orchestration pipelinesAI-powered CI/CD pipelines

MITRE ATLAS Techniques

AML.T0050 Command and Scripting Interpreter

AML.T0053 AI Agent Tool Invocation

AML.T0105 Escape to Host

AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Art. 15, Article 15, Article 9

ISO 42001: 6.1.2, 8.4, A.9.3

NIST AI RMF: MANAGE 2.2, MANAGE-2.2

OWASP LLM Top 10: LLM07, LLM08

What are the technical details?

Original Advisory

## Summary Exec environment denylist missed high-risk interpreter startup variables. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact The exec environment policy missed interpreter startup variables such as `VIMINIT`, `EXINIT`, `LUA_INIT`, and `HOSTALIASES`, allowing operator-supplied environment overrides to influence downstream execution or network behavior. ## Technical Details The fix expands the host environment security policy denylist to cover these and related high-risk environment variables, with regression coverage. ## Fix The issue was fixed in #63277. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `2d126fc62343a7b6895351f96e4e1474bc358140` - PR: #63277 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @feiyang666 of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting this issue.

Exploitation Scenario

An adversary with operator-level access to an openclaw deployment — for example, through a compromised third-party skill or a multi-tenant platform — sets LUA_INIT to a Lua one-liner that reads the agent's working directory and exfiltrates credentials to an attacker-controlled endpoint on process startup. Alternatively, they set HOSTALIASES to redirect a trusted internal hostname (such as the model API endpoint or an internal secrets manager) to their own server, harvesting API keys or manipulating model responses without modifying any openclaw configuration file. Both techniques require only environment variable injection, bypassing the pre-fix denylist entirely.

Weaknesses (CWE)

CWE-184 Incomplete List of Disallowed Inputs Primary

CWE-184 — Incomplete List of Disallowed Inputs: The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.

[Implementation] Do not rely exclusively on detecting disallowed inputs. There are too many variants to encode a character, especially when different environments are used, so there is a high likelihood of missing some variants. Only use detection of disallowed inputs as a mechanism for detecting suspicious activity. Ensure that you are using other protection mechanisms that only identify "good" input - such as lists of allowed inputs - and ensure that you are properly encoding your outputs.

Source: MITRE CWE corpus.