GHSA-39pp-xp36-q6mg (CVE-2026-35650)

Details

Summary

Gateway host exec env override handling did not consistently apply the shared host environment policy, so blocked or malformed override keys could slip through inconsistent sanitization paths.

Affected Packages / Versions

Package: openclaw (npm)
Affected: < 2026.3.22
Fixed: >= 2026.3.22
Latest released tag checked: v2026.3.23-2 (630f1479c44f78484dfa21bb407cbe6f171dac87)
Latest published npm version checked: 2026.3.23-2

Fix Commit(s)

7abfff756d6c68d17e21d1657bbacbaec86de232

Release Status

The fix shipped in v2026.3.22 and remains present in v2026.3.23 and v2026.3.23-2.

Code-Level Confirmation

src/infra/host-env-security.ts now provides one shared sanitizer and fail-closed diagnostics for blocked or malformed override keys.
src/agents/bash-tools.exec.ts and src/node-host/invoke-system-run.ts both route env overrides through the shared sanitizer before execution.

OpenClaw thanks @zpbrent for reporting.

Affected Packages

openclaw

npm

Fixed in:

2026.3.22

References

ADVISORY

https://github.com/advisories/GHSA-39pp-xp36-q6mg

PACKAGE

https://github.com/openclaw/openclaw

WEB