What is GHSA-55cf-xx38-4p9p?

GHSA-55cf-xx38-4p9p is a security advisory published by GitHub Security Advisories with Medium severity. OpenClaw: Workspace dotenv files cannot override connector endpoint hosts

Which CVE IDs does GHSA-55cf-xx38-4p9p cover?

GHSA-55cf-xx38-4p9p covers the following CVE IDs: CVE-2026-45003. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

Which products are affected by GHSA-55cf-xx38-4p9p?

GHSA-55cf-xx38-4p9p affects 1 product, including: npm/openclaw:\u003c= 2026.4.21.

GHSA-55cf-xx38-4p9pMedium

OpenClaw: Workspace dotenv files cannot override connector endpoint hosts

Vendor

GitHub Security Advisories

Published

May 4, 2026

Last Modified

May 19, 2026

🔗 CVE IDs covered (1)

CVE-2026-45003 →

📋 Description

Summary

Workspace dotenv files cannot override connector endpoint hosts.

Affected Packages / Versions

Package: openclaw (npm)
Affected versions: <= 2026.4.21
Fixed version: 2026.4.22

Impact

A workspace .env file could set connector endpoint variables for Matrix, Mattermost, IRC, or Synology-related connectors and redirect runtime traffic away from the operator-configured endpoint.

Fix

Workspace .env loading now blocks those endpoint variables, including per-account Matrix homeserver suffixes and generic base-url/API-host style overrides. Trusted global runtime dotenv loading remains separate.

Fix Commit(s)

0623079e98abf7202591f1b04a89755eb7ec9272

Verification

The fix commit is contained in the public v2026.4.22 tag.
openclaw@2026.4.22 is published on npm and the compiled package contains the fix.
Focused regression coverage for this path passed before publication.

OpenClaw thanks @qi-scape for reporting.

🎯 Affected products1

npm/openclaw:<= 2026.4.21