GHSA-7437-7hg8-frrw: OpenClaw: HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS missing from exec env denylist — RCE via build tool env injection (GHSA-cm8v-2vh9-cxf3 class)
Summary
OpenClaw, a local AI assistant tool, had a security vulnerability where certain environment variables (HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS) were not blocked from being passed to system commands, allowing attackers to achieve RCE (remote code execution, where an attacker can run commands on a system they don't own) through malicious build tool settings. This vulnerability affected versions before 2026.4.8.
Solution / Mitigation
Update OpenClaw to version 2026.4.8 or later. The fix was released in npm version 2026.4.8 and is available on the main branch at commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5.
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-7437-7hg8-frrw
First tracked: April 9, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 85%