Main Vulnerability Database Vulnerabilities #VU125132

External Control of System or Configuration Setting in OpenClaw - #VU125132

Published: April 8, 2026

Vulnerability identifier: #VU125132

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-15

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenClaw

Affected software:
OpenClaw

Detailed vulnerability description

The vulnerability allows a remote user to bypass allowlist and approval controls and influence subprocess behavior.

The vulnerability exists due to external control of system or configuration setting in system.run environment override sanitization in src/infra/host-env-security.ts when processing env overrides for spawned processes. A remote user can supply crafted environment overrides to bypass allowlist and approval controls and influence subprocess behavior.

Exploitation requires the ability to invoke system.run with env overrides, and the issue can affect helper-command execution or config-loading behavior that is not represented by the approved command line.

Remediation

Install security update from vendor's website.

Sources

https://github.com/openclaw/openclaw/security/advisories/GHSA-j425-whc4-4jgc

External Control of System or Configuration Setting in OpenClaw - #VU125132

Detailed vulnerability description

Remediation

Sources

Please verify you're human