{"data":{"id":"18674c23-27ec-4c63-810a-54ad394bf356","title":"GHSA-7437-7hg8-frrw: OpenClaw: HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS missing from exec env denylist — RCE via build tool env injection (GHSA-cm8v-2vh9-cxf3 class)","summary":"OpenClaw, a local AI assistant tool, had a security vulnerability where certain environment variables (HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS) were not blocked from being passed to system commands, allowing attackers to achieve RCE (remote code execution, where an attacker can run commands on a system they don't own) through malicious build tool settings. This vulnerability affected versions before 2026.4.8.","solution":"Update OpenClaw to version 2026.4.8 or later. The fix was released in npm version 2026.4.8 and is available on the main branch at commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-7437-7hg8-frrw","publishedAt":"2026-04-09T14:22:29.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":["openclaw@< 2026.4.8 (fixed: 2026.4.8)"],"affectedVendors":[],"affectedVendorsRaw":["OpenClaw"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":true,"disclosureDate":"2026-04-09T14:22:29.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","availability"],"aiComponentTargeted":"framework","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}