VDB
EN
MEDIUM

GHSA-98ch-45wp-ch47

OpenClaw: Windows-compatible env override keys could bypass system.run approval binding

상세

## Summary

Before OpenClaw 2026.4.2, system-run approval binding normalized environment override keys differently from host execution. Windows-compatible keys could be omitted from the approval binding while still being injected at execution time.

## Impact

An approved command could run with attacker-chosen environment overrides that were not represented in the approval binding. This created an approval-integrity gap for affected host-exec flows.

## Affected Packages / Versions

- Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1`

## Fix Commit(s)

- `7eb094a00d80e9f6bf0e62f2c45d3b88ff67c04d` — align approval binding with execution-time env-key normalization

## Release Process Note

The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live.

Thanks @iskindar for reporting, and thanks @wsparks-vc for coordination.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / openclaw
최초 영향 버전: 0 수정 버전: 2026.4.2
수정 npm install openclaw@2026.4.2

참고