VDB
EN
HIGH 7.7

GHSA-jccr-rrw2-vc8h

OpenClaw safeBins jq `$ENV` filter bypass allows environment variable disclosure

상세

## Summary

The jq safe-bin policy blocked explicit `env` usage but still allowed jq programs that accessed environment data through `$ENV`.

## Impact

An operator-approved safe-bin jq command could disclose environment variables that the safe-bin policy was supposed to keep out of scope.

## Affected Component

`src/infra/exec-safe-bin-semantics.ts`

## Fixed Versions

- Affected: `<= 2026.3.24` - Patched: `>= 2026.3.28` - Latest stable `2026.3.28` contains the fix.

## Fix

Fixed by commit `78e2f3d66d` (`Exec: tighten jq safe-bin env checks`).

Thanks @nicky-cc of Tencent zhuque Lab ([https://github.com/Tencent/AI-Infra-Guard](https://github.com/Tencent/AI-Infra-Guard)) for reporting.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / openclaw
최초 영향 버전: 0 수정 버전: 2026.3.28
수정 npm install openclaw@2026.3.28

참고