GHSA-cm8v-2vh9-cxf3: OpenClaw: GIT_DIR and related git plumbing env vars missing from exec env denylist (GHSA-m866-6qv5-p2fg variant)
lowvulnerability
security
Source: GitHub Advisory DatabaseApril 9, 2026
Summary
OpenClaw, a local AI assistant tool, had a security flaw where Git environment variables (special settings that control how Git works) were not being removed before running system commands, potentially allowing attackers to redirect Git operations to malicious locations. This vulnerability affected OpenClaw versions up to 2026.3.30.
Solution / Mitigation
Update OpenClaw to version 2026.4.8 or later, which patches the vulnerability by properly removing Git plumbing environment variables before executing host commands.
Classification
Attack Type
Supply Chain
Attack SophisticationModerate
Impact (CIA+S)
integrity
AI Component TargetedAgent
Affected Vendors
Affected Packages
openclaw@< 2026.4.8 (fixed: 2026.4.8)
Related Issues
Monthly digest — independent AI security research
Original source: https://github.com/advisories/GHSA-cm8v-2vh9-cxf3
First tracked: April 9, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 75%