OpenClaw Insufficient Environment Variable Denylist Vulnerability in Exec Policy

A vulnerability exists in OpenClaw versions prior to 2026.4.10, where the exec environment policy fails to adequately restrict high-risk interpreter startup variables. This oversight allows operators to override variables such as VIMINIT, EXINIT, LUA_INIT, and HOSTALIASES. Exploitation of this vulnerability could manipulate these environment variables, affecting execution behavior or network connectivity.

Impact

The vulnerability allows unauthorized overrides of critical environment variables, which can be exploited to alter execution behavior or network interactions, potentially leading to unauthorized actions or access.

Reproduction

The vulnerability can be reproduced by setting the overridden environment variables VIMINIT, EXINIT, LUA_INIT, or HOSTALIASES with malicious payloads. This can be done through various methods, such as using a command line interface or a script that injects these values into the environment before executing a command that utilizes them. Once the environment is set, the application can be run in a way that triggers the vulnerability, such as by executing a command that processes the injected values, like a Lua script or a Vim command.

Remediation

Users are advised to upgrade to OpenClaw version 2026.4.10 or later. The latest version includes the necessary fix.