OpenClaw, an npm package for SSH-based sandboxing, had a vulnerability in versions up to 2026.3.28. It passed unsanitized Node.js process.env variables directly to child processes spawned by local SSH connections. Developers patched it in version 2026.3.31 via commit cfe14459531e002a1c61c27d97ec7dc8aecddc1f on March 30, 2026. Maintainers rated it low severity and narrow scope—local leakage only, unless users enable non-default SSH environment forwarding for remote access.
This matters because sandboxes exist to isolate untrusted code. Leaking environment variables undermines that. Process.env often holds secrets: API keys, database creds, session tokens. An attacker running code in the sandbox could read these via the child SSH process, even locally. Remote exploitation requires tweaking SSH config like SendEnv in ~/.ssh/config or server-side AcceptEnv, which few do by default.
Breaking Down the Vulnerability
OpenClaw uses SSH to execute sandboxed tasks on local or remote hosts. In affected versions, it spawned SSH child processes without filtering environment variables. Node’s child_process.spawn() inherits the parent’s env by default unless you pass a cleaned object.
The fix sanitizes env before spawning. Check the commit: it strips sensitive vars or whitelists safe ones. Reported by @AntAISecurityLab, OpenClaw maintainers triaged fast—patch out same day. Vulnerable range: all versions <=2026.3.28. Update to >=2026.3.31.
Npm shows latest as 2026.3.31. Run
npm ls openclawto check your version. If vulnerable,
npm update openclaw. No known exploits, but npm’s 2 million weekly downloads mean wide exposure potential.
Real-World Risks and Implications
Low severity feels right—exploits local SSH only. But consider context: developers use OpenClaw for cloud sandboxes or CI/CD pipelines. A malicious npm dependency or user-submitted code in a web app could trigger this. Leaked env might expose AWS keys (average breach costs $4.45M per IBM 2023 report) or crypto wallet seeds.
SSH env forwarding amplifies risk. Default OpenSSH ignores most env vars remotely for security. Enable it? You’re asking for trouble. Stats: 15% of SSH servers accept env per Qualys scans. If your setup does, bump severity to medium—remote code could slurp your env.
Bigger picture: Node.js ecosystem riddled with env leaks. Snyk tracks 500+ vulns yearly from unsanitized child procs. Best practice: always whitelist env. Example fix pattern:
const safeEnv = {
PATH: process.env.PATH,
HOME: process.env.HOME,
// Add only needed vars
};
const child = spawn('ssh', args, { env: safeEnv });
OpenClaw’s maintainers handled this well: transparent triage, quick fix, credit to finder. Skeptical take—version numbers like 2026.3.31 scream auto-generated or futuristic versioning, but npm accepts it. No zero-days reported, likely because sandbox users run isolated envs already.
Why care if not using OpenClaw? Transitive deps. Audit your package-lock.json. Tools like npm audit or Snyk flag it. In 2024, 80% of breaches hit supply chains (Verizon DBIR). Patch now, or risk insider leaks from sandboxed code.
Recommendations: Update immediately. Disable SSH env forwarding: comment out SendEnv lines. Run sandboxes as low-priv user. Use npm ci in CI to lock deps. Monitor npm advisories—OpenClaw’s first, but not last.
This vuln underscores Node’s pitfalls: convenient defaults breed slop. Devs prioritize speed over lockdown. Fair to maintainers—they fixed it. But users, verify your stack. One leaked token, and your infra’s compromised.
