GHSA-vfp4-8x56-j7c5: OpenClaw: Exec environment denylist missed high-risk interpreter startup variables
highvulnerability
security
Source: GitHub Advisory DatabaseApril 17, 2026
Summary
OpenClaw missed blocking dangerous environment variables (like VIMINIT, EXINIT, LUA_INIT, and HOSTALIASES) that could be set by users to change how programs start up or behave on the network. This security gap affected OpenClaw versions before 2026.4.10.
Solution / Mitigation
Users should upgrade to openclaw version 2026.4.10 or newer. The latest npm release, openclaw@2026.4.14, already includes the fix, which expands the denylist (a list of blocked items) in the execution environment security policy to cover these high-risk environment variables.
Classification
Attack Type
Other
Attack SophisticationModerate
Impact (CIA+S)
integrityavailability
Affected Packages
openclaw@< 2026.4.10 (fixed: 2026.4.10)
Related Issues
Monthly digest — independent AI security research
Original source: https://github.com/advisories/GHSA-vfp4-8x56-j7c5
First tracked: April 17, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 75%