1  info:
 2    name: OpenClaw
 3    cve: GHSA-jccr-rrw2-vc8h
 4    summary: OpenClaw OpenClaw safeBins jq `$ENV` filter bypass allows environment variable disclosure
 5    details: >-
 6      Summary
 7  
 8  
 9      The jq safe-bin policy blocked explicit env usage but still allowed jq programs that accessed environment data through
10      $ENV.
11  
12  
13      Impact
14  
15  
16      An operator-approved safe-bin jq command could disclose environment variables that the safe-bin policy was supposed to
17      keep out of scope.
18  
19  
20      Affected Component
21  
22  
23      src/infra/exec-safe-bin-semantics.ts
24  
25  
26      Fixed Versions
27  
28  
29      - Affected: <= 2026.3.24
30  
31      - Patched: >= 2026.3.28
32  
33      - Latest stable 2026.3.28 contains the fix.
34  
35  
36      Fix
37  
38  
39      Fixed by commit 78e2f3d66d (Exec: tighten jq safe-bin env checks).
40    cvss: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
41    severity: HIGH
42    security_advise: 'Upgrade openclaw to >= 2026.3.28 or later. Fixed by commit 78e2f3d66d (Exec: tighten jq safe-bin env checks).'
43    references:
44    - https://github.com/openclaw/openclaw/security/advisories/GHSA-jccr-rrw2-vc8h
45  rule: version <= "2026.3.24"
46  references:
47  - https://github.com/openclaw/openclaw/security/advisories/GHSA-jccr-rrw2-vc8h