GHSA-G8XP-QX39-9JQ9: GHSA-G8XP-QX39-9JQ9: Arbitrary Code Execution via Environment Variable Injection in OpenClaw Host Execution

GHSA-G8XP-QX39-9JQ9: Arbitrary Code Execution via Environment Variable Injection in OpenClaw Host Execution

Vulnerability ID: GHSA-G8XP-QX39-9JQ9
CVSS Score: 10.0
Published: 2026-04-03

OpenClaw versions prior to v2026.3.31 contain an environment variable injection vulnerability in the Host Environment Security Policy. An untrusted AI model can achieve arbitrary code execution on the host by supplying specific un-sanitized compiler environment variables during host-exec operations.

TL;DR

Incomplete sanitization of compiler environment variables (such as CC and CXX) in OpenClaw allows an AI agent to hijack build tools and execute arbitrary code on the underlying host system.

---

⚠️ Exploit Status: POC

Technical Details

• CWE: CWE-454, CWE-427, CWE-78
• Attack Vector: Network (via AI Prompt/Agent execution)
• CVSS Score: 10.0
• Impact: Arbitrary Code Execution on Host OS
• Exploit Status: poc
• Affected Component: HostEnvSecurityPolicy

Affected Systems

• OpenClaw host-exec subsystem
• OpenClaw macOS Native Bridge
• OpenClaw: < v2026.3.31 (Fixed in: v2026.3.31)

Code Analysis

Commit: e277a37

Fix incomplete denylist in Host Environment Security Policy allowing arbitrary compiler overrides

Exploit Details

• GitHub Commit Regression Test: A regression test in the patch demonstrates setting CC to a malicious shell script during a make execution.

Mitigation Strategies

• Update OpenClaw to v2026.3.31 or later.
• Implement strict OS-level sandboxing (e.g., containers, AppArmor) for the OpenClaw process.
• Configure monitoring for unusual environment variable overrides in host-exec logs.

Remediation Steps:

1. Identify all deployed instances of OpenClaw in the environment.
2. Pull the latest stable release (v2026.3.31 or higher) from the official repository.
3. Deploy the updated application and restart the OpenClaw service.
4. Verify that the updated src/infra/host-env-security-policy.json contains the CC and CXX keys.
5. Ensure any macOS native bridge components are rebuilt to reflect the generated Swift policy changes.

References

• OpenClaw Patch e277a37
• OpenClaw GitHub Repository

---

Read the full report for GHSA-G8XP-QX39-9JQ9 on our website for more details including interactive diagrams and full exploit analysis.