{"data":{"id":"5fe9c0c8-851d-4abe-9258-a1e20452dba2","title":"GHSA-vfp4-8x56-j7c5: OpenClaw: Exec environment denylist missed high-risk interpreter startup variables","summary":"OpenClaw missed blocking dangerous environment variables (like VIMINIT, EXINIT, LUA_INIT, and HOSTALIASES) that could be set by users to change how programs start up or behave on the network. This security gap affected OpenClaw versions before 2026.4.10.","solution":"Users should upgrade to openclaw version 2026.4.10 or newer. The latest npm release, openclaw@2026.4.14, already includes the fix, which expands the denylist (a list of blocked items) in the execution environment security policy to cover these high-risk environment variables.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-vfp4-8x56-j7c5","publishedAt":"2026-04-17T21:54:20.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["other"],"issueType":"vulnerability","affectedPackages":["openclaw@< 2026.4.10 (fixed: 2026.4.10)"],"affectedVendors":[],"affectedVendorsRaw":[],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":true,"disclosureDate":"2026-04-17T21:54:20.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","availability"],"aiComponentTargeted":"inference","llmSpecific":false,"classifierConfidence":0.75,"researchCategory":null,"atlasIds":null}}