Boyhack

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.4.8 **Description** OpenClaw fails to remove git plumbing environment variables from the execution environment before performing host exec operations. This allows attackers to set `GIT DIR` and related variables to redirect git operations, which can compromise the integrity of the repository. **Recommendations** Update to version 2026.4.8.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.4.8 **Description** Remote code execution is possible due to missing environment variable denylist entries. Attackers can inject malicious build tool environment variables, specifically `HGRCPATH`, `CARGO BUILD RUSTC WRAPPER`, `RUSTC WRAPPER`, and `MAKEFLAGS`, to influence host exec commands and achieve arbitrary code execution. **Recommendations** Update to version 2026.4.8.