GHSA-w9j9-w4cp-6wgr: openclaw: env var injection enables host exec hijacking
GHSA-w9j9-w4cp-6wgr MEDIUMOpenClaw, a local AI agent (npm), allows host-executed subprocesses to inherit the full parent environment, exposing shell-stored credentials, API keys, and build tool tokens to manipulation by interpreters and scripts — a CWE-78 OS command injection flaw embedded in the agent's execution model. While no public exploit, CISA KEV listing, or EPSS score is currently available, this package carries 60 prior CVEs — a persistent security deficit that signals systemic code quality issues beyond this single advisory. The risk is amplified by the OpenClaw skills ecosystem: AIID #1368 documents malicious ClawHub skills already weaponized to exfiltrate credentials, and env var injection provides exactly the mechanism such skills need to escalate access silently. Patch to 2026.4.8 immediately and audit all environment variables exposed in shells where OpenClaw executes.
What is the risk?
Medium CVSS in isolation, but contextually elevated for AI agent deployments. The local execution scope limits direct remote exploitability, but the skills marketplace supply chain vector removes the requirement for physical access — a malicious skill installed from ClawHub can trigger the env var injection without additional user interaction beyond skill invocation. The 60 prior CVEs in this package are a strong signal that the security boundary around host-exec has not been rigorously maintained. Developer workstations and CI/CD pipelines running OpenClaw are the highest-risk environments due to the density of cloud credentials, tokens, and secrets typically present in those shell environments.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| OpenClaw | npm | < 2026.4.8 | 2026.4.8 |
Do you use OpenClaw? You're affected.
How severe is it?
What should I do?
5 steps-
Patch immediately: upgrade openclaw to 2026.4.8 (verified fixed commit: d7c3210cd6f5fdfdc1beff4c9541673e814354d5).
-
Before patching, audit all environment variables present in shells where OpenClaw runs — rotate any cloud credentials, API keys, or tokens stored in shell profiles or dotfiles.
-
Apply env sanitization as a defense-in-depth measure: wrap OpenClaw invocations with 'env -i' or an explicit allowlist of required variables to prevent secret leakage even if a future regression occurs.
-
Audit installed OpenClaw skills against the ~17% malicious skill rate documented in AIID #1368 — uninstall unverified third-party skills.
-
Enable process-level monitoring on hosts running OpenClaw to detect anomalous child process spawning or unexpected outbound network connections.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is GHSA-w9j9-w4cp-6wgr?
OpenClaw, a local AI agent (npm), allows host-executed subprocesses to inherit the full parent environment, exposing shell-stored credentials, API keys, and build tool tokens to manipulation by interpreters and scripts — a CWE-78 OS command injection flaw embedded in the agent's execution model. While no public exploit, CISA KEV listing, or EPSS score is currently available, this package carries 60 prior CVEs — a persistent security deficit that signals systemic code quality issues beyond this single advisory. The risk is amplified by the OpenClaw skills ecosystem: AIID #1368 documents malicious ClawHub skills already weaponized to exfiltrate credentials, and env var injection provides exactly the mechanism such skills need to escalate access silently. Patch to 2026.4.8 immediately and audit all environment variables exposed in shells where OpenClaw executes.
Is GHSA-w9j9-w4cp-6wgr actively exploited?
No confirmed active exploitation of GHSA-w9j9-w4cp-6wgr has been reported, but organizations should still patch proactively.
How to fix GHSA-w9j9-w4cp-6wgr?
1. Patch immediately: upgrade openclaw to 2026.4.8 (verified fixed commit: d7c3210cd6f5fdfdc1beff4c9541673e814354d5). 2. Before patching, audit all environment variables present in shells where OpenClaw runs — rotate any cloud credentials, API keys, or tokens stored in shell profiles or dotfiles. 3. Apply env sanitization as a defense-in-depth measure: wrap OpenClaw invocations with 'env -i' or an explicit allowlist of required variables to prevent secret leakage even if a future regression occurs. 4. Audit installed OpenClaw skills against the ~17% malicious skill rate documented in AIID #1368 — uninstall unverified third-party skills. 5. Enable process-level monitoring on hosts running OpenClaw to detect anomalous child process spawning or unexpected outbound network connections.
What systems are affected by GHSA-w9j9-w4cp-6wgr?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, local developer tooling, CI/CD pipelines.
What is the CVSS score for GHSA-w9j9-w4cp-6wgr?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.005 AI Agent Tool AML.T0050 Command and Scripting Interpreter AML.T0053 AI Agent Tool Invocation AML.T0055 Unsecured Credentials AML.T0105 Escape to Host AML.T0112.000 Local AI Agent Compliance Controls Affected
What are the technical details?
Original Advisory
## Impact OpenClaw Host-Exec Environment Variable Injection. Host exec could inherit environment variables that influence interpreters, shells, or build tools. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.3.28` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @wsparks-vc for reporting.
Exploitation Scenario
An adversary publishes a seemingly useful OpenClaw skill to the ClawHub marketplace — a code formatter or productivity tool. A developer installs it and invokes it during a normal workflow. The skill internally triggers a host-exec call with a crafted argument designed to read specific environment variables (AWS_ACCESS_KEY_ID, ANTHROPIC_API_KEY, GITHUB_TOKEN) that OpenClaw inherited from the developer's shell. The subprocess exfiltrates these values via an outbound HTTPS request to an adversary-controlled endpoint, disguised as telemetry. The developer sees no error — the skill completes normally. The adversary now has live cloud credentials with the developer's full access scope.
Weaknesses (CWE)
CWE-78 — Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
- [Architecture and Design] If at all possible, use library calls rather than external processes to recreate the desired functionality.
- [Architecture and Design, Operation] Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.
Source: MITRE CWE corpus.
References
Timeline
Related Vulnerabilities
CVE-2026-33579 9.9 OpenClaw: scope bypass escalates low-priv to admin
Same package: openclaw CVE-2026-32922 9.9 OpenClaw: privilege escalation to RCE via token scope bypass
Same package: openclaw CVE-2026-30741 9.8 OpenClaw: RCE via request-side prompt injection
Same package: openclaw CVE-2026-32038 9.8 OpenClaw: sandbox bypass enables container lateral movement
Same package: openclaw CVE-2026-53838 9.8 OpenClaw: approval scope bypass via reconnection state
Same package: openclaw