GHSA-m866-6qv5-p2fg: OpenClaw host-env blocklist missing `GIT_TEMPLATE_DIR` and `AWS_CONFIG_FILE` allows code execution via env override
Summary
OpenClaw's host environment sanitization (a security check that removes dangerous settings before running code) was missing protections for two environment variables: `GIT_TEMPLATE_DIR` and `AWS_CONFIG_FILE`. An attacker could exploit this by approving a code execution request that redirects git or AWS tools to attacker-controlled files, allowing them to run untrusted code or steal credentials.
Solution / Mitigation
Upgrade to OpenClaw version 2026.3.28 or later. The fix was implemented in commit `6eb82fba3c` titled 'Infra: block additional host exec env keys', which adds `GIT_TEMPLATE_DIR` and `AWS_CONFIG_FILE` to the blocklist in `src/infra/host-env-security-policy.json` and `src/infra/host-env-security.ts`.
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-m866-6qv5-p2fg
First tracked: March 31, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 75%