Main Vulnerability Database Vulnerabilities #VU125132

#VU125132 External Control of System or Configuration Setting in OpenClaw

Published: April 8, 2026

Vulnerability identifier: #VU125132

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-15

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
OpenClaw

Software vendor:
OpenClaw

Description

The vulnerability allows a remote user to bypass allowlist and approval controls and influence subprocess behavior.

The vulnerability exists due to external control of system or configuration setting in system.run environment override sanitization in src/infra/host-env-security.ts when processing env overrides for spawned processes. A remote user can supply crafted environment overrides to bypass allowlist and approval controls and influence subprocess behavior.

Exploitation requires the ability to invoke system.run with env overrides, and the issue can affect helper-command execution or config-loading behavior that is not represented by the approved command line.

Remediation

Install security update from vendor's website.

External links

https://github.com/openclaw/openclaw/security/advisories/GHSA-j425-whc4-4jgc

#VU125132 External Control of System or Configuration Setting in OpenClaw

Description

Remediation

External links

Please verify you're human