OpenClaw Approval Bypass Vulnerability via Environment Variable Normalization

A vulnerability allowing approval bypass has been identified in OpenClaw versions prior to the commit b57b680. This issue arises from inconsistent normalization of environment variables between the approval and execution phases. As a result, attackers can inject environment variables into the execution phase without undergoing the necessary approval validation. The differing normalization processes can be exploited to omit non-portable keys during approval while allowing them at execution, thereby bypassing operator review. This could potentially alter runtime behavior, including the execution of attacker-controlled binaries.

Impact

Exploitation of this vulnerability could lead to unauthorized environment overrides in approved commands, creating a gap in approval integrity for affected execution flows.

Reproduction

To reproduce this vulnerability, create a system.run approval binding that omits certain Windows-compatible environment keys. Then, inject these keys at execution time, bypassing the approval process. This can be done by normalizing the environment variable keys in a way that discards non-portable keys during the approval phase, while still allowing them to be injected when the command is executed.

Remediation

Users can update to OpenClaw version 2026.4.2 or later, where this vulnerability has been patched.