Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-2ch1-em2t-q7er
Vulnerability ID VCID-2ch1-em2t-q7er
Aliases GHSA-xrgf-r9gr-jjjf
Summary Duplicate Advisory: OpenClaw: Exec environment denylist missed high-risk interpreter startup variables ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-vfp4-8x56-j7c5. This link is maintained to preserve external references. ### Original Description OpenClaw before 2026.4.10 contains an insufficient environment variable denylist vulnerability in its exec environment policy that allows operator-supplied overrides of high-risk interpreter startup variables including VIMINIT, EXINIT, LUA_INIT, and HOSTALIASES. Attackers can exploit this by manipulating these environment variables to influence downstream execution behavior or network connectivity.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-184 Incomplete List of Disallowed Inputs
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-xrgf-r9gr-jjjf
cvssv3.1 8.8 https://github.com/openclaw/openclaw/commit/2d126fc62343a7b6895351f96e4e1474bc358140
cvssv4 8.7 https://github.com/openclaw/openclaw/commit/2d126fc62343a7b6895351f96e4e1474bc358140
generic_textual HIGH https://github.com/openclaw/openclaw/commit/2d126fc62343a7b6895351f96e4e1474bc358140
cvssv3.1 8.8 https://github.com/openclaw/openclaw/security/advisories/GHSA-vfp4-8x56-j7c5
cvssv4 8.7 https://github.com/openclaw/openclaw/security/advisories/GHSA-vfp4-8x56-j7c5
generic_textual HIGH https://github.com/openclaw/openclaw/security/advisories/GHSA-vfp4-8x56-j7c5
cvssv3.1 8.8 https://nvd.nist.gov/vuln/detail/CVE-2026-43584
cvssv4 8.7 https://nvd.nist.gov/vuln/detail/CVE-2026-43584
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2026-43584
cvssv3.1 8.8 https://www.vulncheck.com/advisories/openclaw-insufficient-environment-variable-denylist-in-exec-policy
cvssv4 8.7 https://www.vulncheck.com/advisories/openclaw-insufficient-environment-variable-denylist-in-exec-policy
generic_textual HIGH https://www.vulncheck.com/advisories/openclaw-insufficient-environment-variable-denylist-in-exec-policy
Reference id Reference type URL
https://github.com/openclaw/openclaw/commit/2d126fc62343a7b6895351f96e4e1474bc358140
https://github.com/openclaw/openclaw/security/advisories/GHSA-vfp4-8x56-j7c5
https://nvd.nist.gov/vuln/detail/CVE-2026-43584
https://www.vulncheck.com/advisories/openclaw-insufficient-environment-variable-denylist-in-exec-policy
GHSA-xrgf-r9gr-jjjf https://github.com/advisories/GHSA-xrgf-r9gr-jjjf
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/openclaw/openclaw/commit/2d126fc62343a7b6895351f96e4e1474bc358140
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Found at https://github.com/openclaw/openclaw/commit/2d126fc62343a7b6895351f96e4e1474bc358140
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/openclaw/openclaw/security/advisories/GHSA-vfp4-8x56-j7c5
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Found at https://github.com/openclaw/openclaw/security/advisories/GHSA-vfp4-8x56-j7c5
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2026-43584
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Found at https://nvd.nist.gov/vuln/detail/CVE-2026-43584
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://www.vulncheck.com/advisories/openclaw-insufficient-environment-variable-denylist-in-exec-policy
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Found at https://www.vulncheck.com/advisories/openclaw-insufficient-environment-variable-denylist-in-exec-policy
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2026-06-04T17:04:48.217798+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-xrgf-r9gr-jjjf/GHSA-xrgf-r9gr-jjjf.json 38.6.0