GHSA-j425-whc4-4jgc: OpenClaw system.run Env Override Filtering Allowed Dangerous Helper-Command Pivots

Keywords: GHSA-j425-whc4-4jgc, OpenClaw vulnerability, system.run env override, sanitizeHostExecEnv bypass, GIT_SSH_COMMAND, helper-command pivot, AI agent security, env override filtering, allowlist bypass, OpenClaw security advisory

Table of Contents

• Overview
• Vulnerability Details
• Technical Analysis
• Attack Chain
• Impact
• Remediation
• CVSS Metrics
• Timeline
• References
• Contact

Overview

OpenClaw system.run env override filtering allowed dangerous helper-command pivots — The env sanitization in src/infra/host-env-security.ts blocked only a narrow set of override-only environment variables, allowing a tool-enabled caller to steer allowlisted tools through helper-command or config-loading variables like GIT_SSH_COMMAND, editor/pager hooks, and GIT_CONFIG_* / NPM_CONFIG_*.

OpenClaw (187K+ GitHub stars) is a widely deployed personal AI assistant. Its system.run capability allows the agent to execute shell commands on the host machine. Approval evaluation was tied to the reviewed binary/argv, but the launched process could still inherit attacker-controlled env overrides that changed helper-command execution or config resolution — meaning the actual spawned-process behavior diverged from what was approved.

Discovered by: Kai Aizen (@SnailSploit) & @tdjackey Published: March 8, 2026 CVSS Score: 6.3 (Moderate) CWE: CWE-15 (External Control of System or Configuration Setting) + CWE-639 (Authorization Bypass Through User-Controlled Key) Package: openclaw (npm) Patched in: 2026.3.7

Vulnerability Details

Description

Before the fix, src/infra/host-env-security.ts blocked only a narrow set of override-only environment variables. Dangerous request-scoped overrides such as GIT_SSH_COMMAND and prefix families such as GIT_CONFIG_* and NPM_CONFIG_* could still survive sanitizeSystemRunEnvOverrides(...) / sanitizeHostExecEnv(...) and reach the spawned process.

This mattered for system.run allowlist and approval flows because approval evaluation was tied to the reviewed binary/argv, while the launched process could still inherit attacker-controlled env overrides that changed helper-command execution or config resolution. For allowlisted tools such as git, this allowed behavior outside the reviewed command semantics.

Affected Versions

• Vulnerable: All versions ≤ 2026.3.2
• Patched: Version 2026.3.7

Technical Analysis

The core issue is a semantic mismatch between what was reviewed and what actually executes:

1. A caller invokes system.run with env overrides (e.g., { "GIT_SSH_COMMAND": "<payload>" })
2. The allowlist/approval system reviews the binary and argv — git push origin main looks safe
3. sanitizeSystemRunEnvOverrides() / sanitizeHostExecEnv() check against the blocklist
4. GIT_SSH_COMMAND is not blocked — it passes through to the spawned process
5. Git invokes the attacker-controlled GIT_SSH_COMMAND as a helper — executing behavior outside the reviewed command semantics

Dangerous Override Categories

Category	Examples	Effect
Helper-command pivots	GIT_SSH_COMMAND, GIT_ASKPASS, EDITOR, VISUAL	Direct command execution via tool hooks
Config-loading overrides	GIT_CONFIG_*, NPM_CONFIG_*	Config resolution hijacking
Pager/display hooks	LESSOPEN, LESSCLOSE, GIT_PAGER	Command execution on output display

Vulnerable Code Path

src/infra/host-env-security.ts       → sanitizeSystemRunEnvOverrides()
src/infra/host-env-security.ts       → sanitizeHostExecEnv()
src/infra/host-env-security-policy    → narrow blocklist (insufficient)

Fix

The fix (commit e27bbe4) extends the shared TypeScript and macOS policy to block dangerous override-only exact keys and prefixes while preserving trusted inherited base-environment behavior.

Attack Chain

┌─────────────────────────────────────────────────────────────┐
│  1. Tool-enabled caller invokes system.run with env         │
│     overrides: { GIT_SSH_COMMAND: "<payload>" }             │
├─────────────────────────────────────────────────────────────┤
│  2. Allowlist/approval evaluates the binary + argv          │
│     "git push origin main" → approved                       │
├─────────────────────────────────────────────────────────────┤
│  3. sanitizeHostExecEnv checks blocklist                    │
│     GIT_SSH_COMMAND → NOT BLOCKED → passes through          │
├─────────────────────────────────────────────────────────────┤
│  4. Spawned git process inherits the env override           │
│     Git invokes GIT_SSH_COMMAND as helper                   │
├─────────────────────────────────────────────────────────────┤
│  5. Actual behavior diverges from what was approved          │
│     Helper-command executes attacker-controlled payload      │
└─────────────────────────────────────────────────────────────┘

Impact

This is a protection-bypass issue. Exploitation requires an already tool-enabled caller who can invoke system.run and supply env overrides. In affected deployments, that caller could:

• Bypass allowlist/approval intent — trigger helper-command execution not represented by the approved command line
• Hijack config resolution — steer tool behavior through config-loading env vars
• Achieve behavior outside reviewed command semantics — the approved git push becomes something entirely different at runtime

Maintainer severity is set to Moderate because the bug still requires existing execution capability; the vulnerability is the mismatch between reviewed command semantics and actual spawned-process behavior.

Remediation

Immediate Fix

Update OpenClaw to version 2026.3.7 or later:

npm install -g openclaw@latest

Defense in Depth

• Audit system.run invocations for env override usage
• Prefer allowlist-based env filtering over blocklist approaches
• Monitor subprocess behavior for divergence from approved command semantics

CVSS v3.1 Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Metric	Value
Attack Vector	Network (AV:N)
Attack Complexity	Low (AC:L)
Privileges Required	Low (PR:L)
User Interaction	None (UI:N)
Scope	Unchanged (S:U)
Confidentiality	Low (C:L)
Integrity	Low (I:L)
Availability	Low (A:L)

Timeline

Date	Event
2026-03-03	Vulnerability discovered via source code review
2026-03-04	Reported via GitHub Security Advisory
2026-03-08	Advisory published (GHSA-j425-whc4-4jgc)
2026-03-08	Patched in OpenClaw 2026.3.7
2026-03-09	Published to GitHub Advisory Database, reviewed

References

• GHSA-j425-whc4-4jgc (GitHub Advisory Database)
• GHSA-j425-whc4-4jgc (Repo Advisory)
• Fix Commit e27bbe4
• OpenClaw v2026.3.7 Release
• CWE-15: External Control of System or Configuration Setting
• CWE-639: Authorization Bypass Through User-Controlled Key

Contact

Kai Aizen (SnailSploit)

• Web: snailsploit.com
• GitHub: @SnailSploit
• LinkedIn: /in/kaiaizen

---

⚠️ Disclaimer: This repository is for educational and authorized security research purposes only. Use responsibly.