GHSA-vfw7-6rhc-6xxg: openclaw: env var injection via workspace config

Published April 7, 2026

CISO Take

An attacker who can supply or manipulate a workspace configuration file can inject arbitrary environment variables into openclaw's CLI backend runner process — effectively letting a malicious repository take execution context inside a developer's environment. This is an incomplete fix for CVE-2026-4039, meaning the prior patch was bypassed; openclaw already carries 37 CVEs on record, and the active AIID #1368 incident links malicious openclaw workspace artifacts to credential-stealing malware delivered via the ClawHub ecosystem. The attack requires only that a victim open a crafted workspace — no elevated privileges or network access needed — and developer environments running AI agents are dense with high-value secrets (LLM API keys, cloud credentials) stored as environment variables. No public exploit exists and the advisory is not in CISA KEV, but the low exploitation barrier and known hostile ecosystem make this a patch-immediately item; upgrade to openclaw >= 2026.3.24 and audit all workspace configs sourced from external or community repositories.

Sources: GitHub Advisory ATLAS

Risk Assessment

High severity with low exploitation complexity. The attack surface is any developer workstation, CI/CD pipeline, or agent orchestration platform that loads workspace configs from untrusted sources. The incomplete-fix lineage (CVE-2026-4039 → GHSA-vfw7-6rhc-6xxg) indicates the root cause was not fully resolved on the first attempt, raising doubt about remediation completeness. AI agent toolchains are particularly high-value targets due to the density of privileged credentials (LLM API keys, cloud IAM tokens, database URIs) in their runtime environment. No EPSS data and no KEV entry slightly reduce immediacy, but the established malicious-workspace attack pattern documented in AIID #1368 against the same package keeps this in the high-priority tier.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
openclaw	npm	<= 2026.3.23-2	`2026.3.24`

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Recommended Action

Upgrade openclaw npm package to >= 2026.3.24 immediately — the fix sanitizes backend env before process spawn.
Audit all workspace configs currently in use, treating any config sourced from external or community repositories as untrusted input.
Restrict workspace config loading to internally controlled, signed sources; implement allowlisting for permitted config origins.
In CI/CD pipelines, pin the openclaw version and verify package integrity via lockfile checksums before execution.
Detection: monitor child process spawns from the openclaw CLI for unexpected environment variable overrides — specifically watch for *_API_KEY, *_BASE_URL, LD_PRELOAD, and PATH variables pointing to non-canonical endpoints.
Consider running openclaw in containers with minimal host environment exposure as a defense-in-depth control until upgrade is confirmed across all environments.

Classification

Supply Chain Code Execution Data Extraction Agent Framework Plugin AML.T0010.005 - AI Agent Tool AML.T0050 - Command and Scripting Interpreter AML.T0055 - Unsecured Credentials AML.T0081 - Modify AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - AI system operation and monitoring

NIST AI RMF

MANAGE-2.4 - AI Risk Treatment — Component Integrity

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Related AI Incidents (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Unknown malicious actors high confidence

AIID #1368 documents adversarial abuse of the openclaw skills/workspace ecosystem to deliver credential-stealing malware via ClawHub — the same package and same attack surface (malicious workspace artifacts) exploited in this CVE. The environment variable injection vector directly enables the credential exfiltration failure mode observed in that incident.

AIID #1368

Source: AI Incident Database (AIID)

Technical Details

NVD Description

## Summary Incomplete Fix for CVE-2026-4039: CLI Backend Environment Variable Injection via Workspace Config ## Current Maintainer Triage - Status: open - Normalized severity: high - Assessment: Real shipped malicious-workspace-config env injection in the CLI backend runner, fixed by sanitizing backend env before spawn and shipped in v2026.3.24, so advisory stays open until published. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.23-2` - Patched versions: `>= 2026.3.24` - First stable tag containing the fix: `v2026.3.24` ## Fix Commit(s) - `c2fb7f1948c3226732a630256b5179a60664ec24` — 2026-03-24T12:58:10-07:00 ## Release Process Note - The fix is already present in released version `2026.3.24`. - This draft looks ready for final maintainer disposition or publication, not additional code-fix work. Thanks @YLChen-007 for reporting.

Exploitation Scenario

An adversary publishes a malicious workspace config to a public repository or community hub — mirroring the AIID #1368 attack pattern where ~17% of openclaw skills were assessed as malicious. A developer clones the workspace and runs openclaw, or an automated CI pipeline ingests it during a build step. The crafted config injects environment variables into the backend runner: overriding ANTHROPIC_BASE_URL or OPENAI_API_BASE to redirect LLM API calls to an attacker-controlled proxy (harvesting API credentials with every inference call), or injecting LD_PRELOAD to load a malicious shared library into the spawned backend process. Injected variables persist for the entire runner session, enabling silent credential exfiltration, lateral movement within the developer's AI toolchain, or persistent compromise via further agent configuration modification.